Anyone see a game changer here?
Gadi Evron
ge at linuxbox.org
Sat Jan 23 06:32:20 UTC 2010
On 1/23/10 6:08 AM, Steven Bellovin wrote:
> I think that that's wishful thinking. IE has fewer security problems because Microsoft has put a tremendous amount of effort -- and often fought its own developers -- in a disciplined software development environment with careful, structured security reviews by people who have the power to say "no, you can't ship this". They've also put a lot of effort into building and using security tools. (For earlier comments by me on this subject, see http://www.cs.columbia.edu/~smb/blog/2009-04/2009-04-29.html)
>
> I'm not a fan of Windows. I think it's ugly and bloated, and I don't like it as a user environment. I'm typing this on a Mac (which I like for its JFW properties, not its security; I do not think it is more secure than Vista or Windows 7); I'm also a heavy user -- and a developer -- of NetBSD. If the world suddenly switched its OS of choice away from Windows, I wouldn't weep. But I also would and do hope that the other platforms, be they open or closed source, would learn from what Bill Gates has done well.
Microsoft has put a lot into securing its code, and is very good at
doing so.
My main argument here is about the policy of handling vulnerabilities
for 6 months without patching (such as this one apparently was) and the
policy of waiting a whole month before patching an in-the-wild 0day exploit.
Microsoft is the main proponent of responsible disclosure, and has shown
it is a responsible vendor. Also, patching vulnerabilities is far from
easy, and Microsoft has done a tremendous job at getting it done. I
simply call on it to stay responsible and amend its faulty and dangerous
policies. A whole month as the default response to patching a 0day? Really?
With their practical monopoly, and the resulting monoculture, perhaps
their policies ought to be examined for regulation as critical
infrastructure, if they can't bring themselves to be more responsible on
their own.
This is the first time in a long while that I find it fit to criticize
Microsoft on security. Perhaps they have grown complacent with the PR
nightmare of full disclosure a decade behind them, with most
vulnerabilities now "sold" to them directly or indirectly by the
security industry.
Gadi.
--
Gadi Evron,
ge at linuxbox.org.
Blog: http://gevron.livejournal.com/
More information about the NANOG
mailing list