Slashdot Mirror

Does breaking the PKI consist of break TLS?

What "breaking of PKI" are you referring to? If you mean certificates generated with non-random keys then this does not break TLS itself - though of course connections using weak certificates could be compromised. Ditto to certificates issues with short keys. The compromised CAs then this could be seen as a weakness in the whole idea of centralised trusted CAs. While I like the idea of decentralised CAs but think that it is not something to be rushed in to.

If this is about the buffer overflow in JNLP ("Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability"), then the fix has already been released with JRE 5 Update 12 and the latest JRE 6 update.

Has IIS had any remotely exploitable holes since version 5?

yes

Or how about these guys, they already have three exploits for MS products.

http://research.eeye.com/html/advisories/upcoming/ index.html

How does it feel to know that eEye and MS have had remote access to all of your machines constantly for years?

The patch blocks the loading of cursors from directories other than those below the Windows base directory. Source included.

Windows - 39, 12 severe, average 21 day fix
Mac - 49, 1 severe, average 66 day fix
Red Hat - 208, 2 severe, average 13 day fix

I know that Red Hat is patching more than just the OS, we are talking about people who patch little things like gaim or libfoo.so (microsoft still hasn't patched Office since Feb. http://research.eeye.com/html/alerts/zeroday/20070 209.html

Wow, I don't care what they claim in the report. Hats off to Red Hat!

Google for "windows local privilege escalation" and you will find about one in five of the resulting thousands of hits is a long standing unpatched escalation in XP. Here is one that has been unpatched since 2004. Vista hasn't been on the market long enough to build up such a list, but unless MS has severely changed their methods the vista list will just as long soon. Here is a link to one reported three days ago which is unpatched. I don't think there has ever been a time when there was not at least one outstanding, public, unpatched, local escalation in Windows. They are not even considered serious by MS and are so common they don't make the news, unlike local escalations in other OS's.

I disagree. Most users need to install software or their computer does not work for their everyday tasks. MS's decision means most users thus need to be admin to run the average installer and so will expect to have to authenticate when installing anything. This means it will not be uncommon for admin privileges to be asked for when installing some small, non-malicious piece of software making the process identical to installing a rootkit and meaning the user is given no warning at all when faced with a trojan.

Theoretically, users can run installers as non-admin, if they do it manually. The problem is in practice this will not work because of MS's defaults and how that will affect developers' installers. Because of this default by MS, software people use will expect to be admin and be developed and tested as such. It completely undermines the idea of using user accounts to stop malware.

Where is the inconsistency?

I encountered no source of confusion, finding (i) that the company currently lists Marc as CTO, and even (ii) that Marc added the CTO designation on 2006-09-18 (per a media release).

It is customary—though obviously not required—to know the facts before attempting to correct someone else. The company's own website right nowdescribes Marc Maiffret as "CTO/Founder and Chief Hacking Officer".

A person may have more than one C[a-z]O designation.

It's lame that something like this makes the front page. The report makes no mention of version, no proof of concept code is available. Ah but they DO try to sell your their security application which supposedly protects from this vulnerability.

We could get more upset about UNPATCHED holes, not when they release fixes.

First of all, ISS's vulnerability scanner has turned to such a piece of dog doo, I wouldn't touch it with a poop scooper. In 2005, it was installing an vulnerable MSDE onto windows boxes, and just patching the MSDE was enough to break compatibility (This vulnerability has been out for 3 months at the time). On the product side though, ISS's scanners have been thoroughly stomped by Tenable's Nessus and Eeye's Retina.

As far as ISS goes on the IDS/IPS side, their products went from leader to lackluster. Snort, Tipping point, and Intrushield - need I say more?

Then on the vulnerability database side, you have the X-Force DB being demolished by the innovative Open Source Vulnerability Database led by real security gurus like Jericho, not to mention the other DBs like Secunia, NVD, etc.

ISS = vaguely reminds me of CA, corporate types taking good products and not keeping them updated, not innovating, and just trying to suck the blood from corporate customers.

Twas the night before Christmas, and deep in IE
A creature was stirring, a vulnerability
MS02-066 was posted on the website with care
In hopes that Team eEye would not see it there

But the engineers weren't nestled all snug in their beds,
No, PNG images danced in their heads
And Riley at his computer, with Drew's and my backing
Had just settled down for a little PNG cracking

When rendering an image, we saw IE shatter
And with just a glance we knew what was the matter
Away into SoftICE we flew in a flash
Tore open the core dumps, and threw RFC 1951 in the trash

The bug in the thick of the poorly-written code
Caused an AV exception when the image tried to load
Then what in our wondering eyes should we see
But our data overwriting all of heap memory

With heap management structures all hijacked so quick
We knew in a moment we could exploit this $#!%
More rapid than eagles our malicious pic came --
The hardest part of this exploit was choosing its name

Derek Soeder
Software Engineer
eEye Digital Security

(Copyed by anon from http://www.eeye.com/html/research/advisories/AD200 21211.html)

I don't know why you think eEye has such close ties to MS. They have been embarrassing and exploiting the hell out of MS for years. They drive MS crazy by releasing powerful exploit code and giving conference presentations such as "Remote Windows Kernel Exploitation" (BlackHat 2005). I like these guys a lot :).

-Fyodor (Insecure.Org)

Symantec Antivirus 10.x
Symantec Client Security 3.x
(Other Symantec Antivirus products are also potentially affected, waiting for vendor list)

"eEye's patch is not meant to replace the forthcoming Microsoft patch, but to provide immediate protection in lieu of an available fix. In fact, eEye has engineered the patch to automatically remove itself when Microsoft's official patch comes through."[emphasis added]

Looks like there may be a solution for those of us that don't have that option of switching. I read on Full Disclosure that eEye has made a patch available; has anyone else seen this claim? The post directs the user to the following site:

http://www.eeye.com/html/research/alerts/AL2006032 4.html

I've installed it on my wife's laptop running WinXP; however, I don't have anything confirm the fix. Just curious if anyone tried it?

Yes, but that was academic, not in the wild and it was intentionally limited to prevent it from spreading. It was made to be a non-functional exploit, just a proof of concept.

And does any of that somehow make it not a remote exploit?

Show me an exploit or evidence of a box exploited. If you have an exploit that you have reported, tell me about the existence so I can confirm it in the next security update. I know maybe none of these is possible, but you'll forgive me for being skeptical especially given some of the other comments you have made here that don't speak to your credentials (like the shell comment).

I haven't done any OS X vulnerability research myself yet. And by agreement, I'm not allowed to share the exploits I have from others, or else I would have reported them to Apple.

I have done some other work that might make me credible, if you have other examples. Some people think that the books I've worked on, speaking engagements, running vuln-dev, work at SecurityFocus, vulnerabilities found, etc.. demonstrate some degree of credibility.

BTW, here are a couple of other examples that I just happened to see today:

http://www.eeye.com/html/research/upcoming/2006030 7a.html
http://www.eeye.com/html/research/upcoming/2006030 7b.html

Yes, but that was academic, not in the wild and it was intentionally limited to prevent it from spreading. It was made to be a non-functional exploit, just a proof of concept.

And does any of that somehow make it not a remote exploit?

Show me an exploit or evidence of a box exploited. If you have an exploit that you have reported, tell me about the existence so I can confirm it in the next security update. I know maybe none of these is possible, but you'll forgive me for being skeptical especially given some of the other comments you have made here that don't speak to your credentials (like the shell comment).

I haven't done any OS X vulnerability research myself yet. And by agreement, I'm not allowed to share the exploits I have from others, or else I would have reported them to Apple.

I have done some other work that might make me credible, if you have other examples. Some people think that the books I've worked on, speaking engagements, running vuln-dev, work at SecurityFocus, vulnerabilities found, etc.. demonstrate some degree of credibility.

BTW, here are a couple of other examples that I just happened to see today:

http://www.eeye.com/html/research/upcoming/2006030 7a.html
http://www.eeye.com/html/research/upcoming/2006030 7b.html

1. Microsoft releases sloppy software, as usual, with an amazing number of extremely severe vulnerabilities.
   
   (Compare Microsoft Windows XP with OpenBSD, which is equally complicated. Quote from OpenBSD: "Code often gets audited multiple times, and by multiple people with different auditing skills." The OpenBSD team is number one because they want to be.)
   
   
2. Microsoft refuses to fix vulnerabilities, as usual.
   
   
3. Microsoft sells protection called OneCare Live.
   
   
4. Accidentally, or not, Microsoft protection software sometimes disables the software of other companies, demonstrating that customers cannot depend on other companies for protection. So, everyone must buy their protection from Microsoft.
   
   
5. Profit Before: Microsoft now sells a new copy of its operating system software to everyone who buys a new computer, even if the customer stopped using the old computer and bought a new one because the old one was too infected, and thus already owns a license.
   
   Profit Now: A protection racket would be even more profitable. Microsoft would collect money every year for a subscription to its protection updates.

A L A T E F I X I S F I N E T O O

Well, it's better than no fix or for that matter, a poke in the eye with a sharp stick. But it doesn't exactly give you the warm fuzzies to know that Windows is vulnerable to a remote exploit a significant amount of the time - keep an eye on Eeye's upcoming advisories. There seems to have been at least one remote exploit on this list most times I've looked at it over the last couple of years. That's one of the reasons Windows isn't safe without a properly configured hardware firewall. (Not that it is necessarily safe with one, but that's a minimum.)

This was patched over a week ago, http://www.incidents.org/diary.php?date=2006-01-31 (bottom).
The time from exploit to patch was very fast.
better then the length it takes other software developers to release a patch..
http://www.eeye.com/html/research/upcoming/index.h tml

Yeah, this all sounds suspiciously (or at least auspiciously) similar to EEye's Retina scanner, etc. It's all been done before.

Quote from the Slashdot article: "Even if new features won't get you to upgrade to Vista, you should buy Vista for the security, urged Windows Chief Jim Allchin."

Most people don't know that there is no actual person named Allchin. That is just a nickname for Jabba the Hutt, All Chin.

When he is not assuring that their will be terrible security vulnerabilities in the present version of Windows, so that Microsoft will be able to sell the next version, Mr. "AllChin" Hutt eats cute squeaky live animals.

I want you to know that this comment has the same editorial accuracy for which Slashdot is famous.

Something to add to my parent comment -- Facts about Microsoft's interest in security: 206 Days Overdue.

Ok, here is one.

On Jan 10 (2006), Apple, after having 2 and 3 months respectively to fix them, finally released a patch (7.0.4) that closed major holes in QuickTime, that allows .MOV, .GIF and QTIF (an Apple specific image format, like Microsoft's WMF) files to execute arbitrary code on both Mac OS X and Windows (assuming Windows has QuickTime installed) just by viewing them (such as through a webpage with an embedded QuickTime video).

However as with many Apple patches and updates, it hadn't been properly tested, resulting in the forums being flooded with complaints about lost functionality (DVDs stopped playing and such). Apple quickly withdrew the patch, with little notice - as if the patch never existed.

Of course eEye, the security firm that had reported the vulnerabilities to Apple months before, had now already posted rather detailed advisories which included precise exploit details.

So ask yourself: Are you a Mac user (and thus have QuickTime because it's an integrated part of the OS used for OS 9 legacy emulation [long story]) or a Windows user that has installed Apple QuickTime by choice? Have you checked for patches for QuickTime in the last 2 weeks, or seen any kind of public advisory, like you normally do when Microsoft or just about any other large software maker releases a patch? If you answered yes to number one, but no to number two, congratulations. You a giant target for a zero-day exploit thanks to Apple and the Jobs reality distortion field.

I just checked eEye's upcoming vulnerabilities page .. and it looks like Microsoft has at least 3 serious unpatched vulnerabilties. Including one that they have know about for over 206 days.

http://www.eeye.com/html/research/upcoming/index.h tml

What's that about.

Well consider this: 6 days ago Apple released patches for critical problems in Quicktime (make sure you update to Quicktime 7.0.4). All of them lead to reliable arbitrary code execution, as a result of Quicktime/Quicktime browser plugin/iTunes reading GIF, QTIF (An Apple image format, like Windows WMF) or MOV files. The vulnerabilities affect all operating systems using Quicktime - Windows and Mac OS X. The QTIF vulnerability was quickly patched in 12 days (a few days slower then the WMF vulnerability that everyone jumped on Microsoft about). The GIF vulnerability (the least likely to be exploited since GIF files are not usually read by Quicktime) took the longest at 71 days to patch. However the showstopper was the MOV vulnerability. It allowed for reliable code execution just by playing a MOV file - easily embedded in a webpage, almost always played by Quicktime, and usable on many free "funny video" upload services, allowing for anonymous attacks. This extremely dangerous vulnerability was reported to Apple in November but a patch wasn't released for 54 days, providing a large window for hackers to strike with a 0-day exploit. Of course when Apple released the patch, as with all of Apple's many regular security fixes, there was little fanfare. In fact sites like Slashdot.org actually rejected submissions alerting people to the need to update and protect their systems from Apples security problem. That was a good thing for Apple, since the patch (which also fixed 4 other vulnerabilities) quickly proved to be unstable, and was withdrawn. Now anyone visiting the detailed description of the vulnerability can begin constructing and deploying infected video files designed to attack users machines as soon as Safari, FireFox, IE or any other browser, on Mac or Windows, plays them with Apple's Quicktime plugin. Of course with a zero-day exploit that can attack almost any non-Linux computer on the planet just by visiting a webpage now in the wild for 6 days, we haven't seen many if any attempts to use it. Maybe having legions of cult members chanting "Apple is perfect" really do protect the Mac

Well consider this: 6 days ago Apple released patches for critical problems in Quicktime (make sure you update to Quicktime 7.0.4). All of them lead to reliable arbitrary code execution, as a result of Quicktime/Quicktime browser plugin/iTunes reading GIF, QTIF (An Apple image format, like Windows WMF) or MOV files. The vulnerabilities affect all operating systems using Quicktime - Windows and Mac OS X. The QTIF vulnerability was quickly patched in 12 days (a few days slower then the WMF vulnerability that everyone jumped on Microsoft about). The GIF vulnerability (the least likely to be exploited since GIF files are not usually read by Quicktime) took the longest at 71 days to patch. However the showstopper was the MOV vulnerability. It allowed for reliable code execution just by playing a MOV file - easily embedded in a webpage, almost always played by Quicktime, and usable on many free "funny video" upload services, allowing for anonymous attacks. This extremely dangerous vulnerability was reported to Apple in November but a patch wasn't released for 54 days, providing a large window for hackers to strike with a 0-day exploit. Of course when Apple released the patch, as with all of Apple's many regular security fixes, there was little fanfare. In fact sites like Slashdot.org actually rejected submissions alerting people to the need to update and protect their systems from Apples security problem. That was a good thing for Apple, since the patch (which also fixed 4 other vulnerabilities) quickly proved to be unstable, and was withdrawn. Now anyone visiting the detailed description of the vulnerability can begin constructing and deploying infected video files designed to attack users machines as soon as Safari, FireFox, IE or any other browser, on Mac or Windows, plays them with Apple's Quicktime plugin. Of course with a zero-day exploit that can attack almost any non-Linux computer on the planet just by visiting a webpage now in the wild for 6 days, we haven't seen many if any attempts to use it. Maybe having legions of cult members chanting "Apple is perfect" really do protect the Mac

Well consider this: 6 days ago Apple released patches for critical problems in Quicktime (make sure you update to Quicktime 7.0.4). All of them lead to reliable arbitrary code execution, as a result of Quicktime/Quicktime browser plugin/iTunes reading GIF, QTIF (An Apple image format, like Windows WMF) or MOV files. The vulnerabilities affect all operating systems using Quicktime - Windows and Mac OS X. The QTIF vulnerability was quickly patched in 12 days (a few days slower then the WMF vulnerability that everyone jumped on Microsoft about). The GIF vulnerability (the least likely to be exploited since GIF files are not usually read by Quicktime) took the longest at 71 days to patch. However the showstopper was the MOV vulnerability. It allowed for reliable code execution just by playing a MOV file - easily embedded in a webpage, almost always played by Quicktime, and usable on many free "funny video" upload services, allowing for anonymous attacks. This extremely dangerous vulnerability was reported to Apple in November but a patch wasn't released for 54 days, providing a large window for hackers to strike with a 0-day exploit. Of course when Apple released the patch, as with all of Apple's many regular security fixes, there was little fanfare. In fact sites like Slashdot.org actually rejected submissions alerting people to the need to update and protect their systems from Apples security problem. That was a good thing for Apple, since the patch (which also fixed 4 other vulnerabilities) quickly proved to be unstable, and was withdrawn. Now anyone visiting the detailed description of the vulnerability can begin constructing and deploying infected video files designed to attack users machines as soon as Safari, FireFox, IE or any other browser, on Mac or Windows, plays them with Apple's Quicktime plugin. Of course with a zero-day exploit that can attack almost any non-Linux computer on the planet just by visiting a webpage now in the wild for 6 days, we haven't seen many if any attempts to use it. Maybe having legions of cult members chanting "Apple is perfect" really do protect the Mac

Well consider this: 6 days ago Apple released patches for critical problems in Quicktime (make sure you update to Quicktime 7.0.4). All of them lead to reliable arbitrary code execution, as a result of Quicktime/Quicktime browser plugin/iTunes reading GIF, QTIF (An Apple image format, like Windows WMF) or MOV files. The vulnerabilities affect all operating systems using Quicktime - Windows and Mac OS X. The QTIF vulnerability was quickly patched in 12 days (a few days slower then the WMF vulnerability that everyone jumped on Microsoft about). The GIF vulnerability (the least likely to be exploited since GIF files are not usually read by Quicktime) took the longest at 71 days to patch. However the showstopper was the MOV vulnerability. It allowed for reliable code execution just by playing a MOV file - easily embedded in a webpage, almost always played by Quicktime, and usable on many free "funny video" upload services, allowing for anonymous attacks. This extremely dangerous vulnerability was reported to Apple in November but a patch wasn't released for 54 days, providing a large window for hackers to strike with a 0-day exploit. Of course when Apple released the patch, as with all of Apple's many regular security fixes, there was little fanfare. In fact sites like Slashdot.org actually rejected submissions alerting people to the need to update and protect their systems from Apples security problem. That was a good thing for Apple, since the patch (which also fixed 4 other vulnerabilities) quickly proved to be unstable, and was withdrawn. Now anyone visiting the detailed description of the vulnerability can begin constructing and deploying infected video files designed to attack users machines as soon as Safari, FireFox, IE or any other browser, on Mac or Windows, plays them with Apple's Quicktime plugin. Of course with a zero-day exploit that can attack almost any non-Linux computer on the planet just by visiting a webpage now in the wild for 6 days, we haven't seen many if any attempts to use it. Maybe having legions of cult members chanting "Apple is perfect" really do protect the Mac

Along with many annoying things showing up as Flash content, having the plugin enabled gives us one more place for potential security problems.

Known or not, vulnerabilities relating to images and Flash existed for a very long time. Considering that offsite content greatly increased the potential exposure of even a selective surfer, perhaps it's worth reconsidering very aggressive blocking/filtering and disabling non-essential plugins.

I haven't looked closely enough at the control offered by Firefox plugins. Is it possible to enable Flash and Javascript on a site by site basis while still blocking it for imbedded offsite-content?

Six unpatched flaws, with aggregate total of 737 days since informed.

Redhat EL4

17 critical vulnerabilities [in 2005], Red Hat made fixes for every one of them available to customers via the Red Hat Network within two days of the vulnerabilities being known to the public, with 87 percent of them being available the first day. Source

[I calculate that as 19 days total exposure]

Arithmetic says: MS exposure 38.79 times as bad as RH!

There sure are:
http://www.eeye.com/html/research/upcoming/index.h tml

This list alone shows 4 unpatched "Severity: High (Remote Code Execution)" issues

...of why we say that MS doesn't care enough about the security of its users. MS should be even more committed into improving the speed of development & QA of security patches. This particular zero-day vuln is known since at least one week, and MS still hasn't distributed a fix. Delaying the release of a fix to Patch Tuesday doesn't make any sense when the vuln details are already publicly known. They should at least release beta patches (if the QA process is not yet complete) for users who NEED security and can afford potential stability problems. Other users can wait for Patch Tuesday if they want.

But one week is nothing compared to other vulns. Look at this list of other currently unpatched holes in MS products: http://www.eeye.com/html/research/upcoming/index.h tml. Some of them has been reported months ago and are still unfixed. This is inadmissible for a multi-billion dollars company.

Nothing yet, since details of the flaw won't be released by eEye until a patch is released by Apple.

If someone is wondering "should I be worried", the answer is no; exploits of this nature are usually still theoretical and not being exploited en masse "in the wild". Many of these exploits are explicitly discovered by the security organizations who have released the advisories themselves and are often not necessarily representative of any actual exploit being applied maliciously: the idea is to catch security vulnerabilities before they are actually used maliciously. Further, the exploit in question probably requires the user to specifically visit a malicious web site (other than a port open via Rende..., er I mean, Bonjour, when iTunes Sharing is enabled, I don't know of any other avenue to exploit iTunes). The exploit must, therefore, pass a url and/or file to iTunes, and therefore would very likely require visiting a malicious web site.

We don't know the details of the exploit, I can still say with it's extremely likely that it is not something that would be able to spontaneously occur simply by using iTunes in a normal fashion.

This story would more accurately be:

"Some unknown and unannounced flaw found in a piece of software; fix coming from software vendor"

Is this news?

(And it's amusing that if you buy a commercial product from the vendor issuing the vulnerability, you'll be protected! Not a rip on eEye, who has discovered a good deal of vulnerabilities, but it's not as if many of these security entities themselves don't have an interest in finding "vulnerabilities", no matter how nebulous or unlikely.)

IIS has plenty of modules and add-ins (like Apache) via ISAPI - lots of vulnerabilities in IIS5 were vulnerabilities in crappier extensions that were loaded by default. IIS6 ships with far fewer things "ON" and thus is more secure. IIS6 has been out for over 2 years now, and there are plenty of people (both black hats and white hats) trying to break IIS 6 (e-eye for example, which virtuall specialize in IIS - http://www.eeye.com/html/research/index.html).

eEye's "upcoming advisories" page is worth a look if you're interested in just how severe microsoft's lapse in patching can be. note that this page only catalogues vulnerabilities that microsoft acknowledge and the time since such acknowledgment, not since exploit nor since they were notified.

quoth eEye's product manager: "The more critical, the more pervasive the vulnerability, the longer it takes Microsoft to patch."

Ok.

http://www.eeye.com/html/research/upcoming/2005091 5.html (SP2 specificially listed)
http://www.eeye.com/html/research/upcoming/2005032 9.html (possible, it did not specifically dismiss SP2)
http://www.eeye.com/html/research/upcoming/2005050 5.html (possible, it did not specifically dismiss SP2)

Of course, more buffer overflow/SP1 bugs affect people who turn off NoExecute completely in SP2.

Ok.

http://www.eeye.com/html/research/upcoming/2005091 5.html (SP2 specificially listed)
http://www.eeye.com/html/research/upcoming/2005032 9.html (possible, it did not specifically dismiss SP2)
http://www.eeye.com/html/research/upcoming/2005050 5.html (possible, it did not specifically dismiss SP2)

Of course, more buffer overflow/SP1 bugs affect people who turn off NoExecute completely in SP2.

Ok.

http://www.eeye.com/html/research/upcoming/2005091 5.html (SP2 specificially listed)
http://www.eeye.com/html/research/upcoming/2005032 9.html (possible, it did not specifically dismiss SP2)
http://www.eeye.com/html/research/upcoming/2005050 5.html (possible, it did not specifically dismiss SP2)

Of course, more buffer overflow/SP1 bugs affect people who turn off NoExecute completely in SP2.

So much for Microsoft's new emphasis on security.

Then there's the unpatched vulnerabilities. Some of these have been around for quite some time. Please explaine how a company with money and resources, who's top priority is security can have known security issues since March. Especially vulnerabilities involving remote code execution.

How many remote vulnerabilities have the default install of OpenBSD since it was released? Surely MS with its 40 Billion dollars in cash must have a greater number of skilled code auditors than Theo.

Of course they're not going to tell you what it is, it's quite possible that they've either entered into a mutually beneficial agreement with Microsoft to keep this information under their hat, or they know it's nothing to be overly concerened with, but are trying to sell protection anyway, so they're making it out to be bigger then it is.

Whatever the reason (if it isn't both), they're profiting from people's fears and Windows's insecurities.

Protection for the said vulnarability is already provided by eEye : Blink Endpoint Vulnerability Prevention. hmmm...

Protection for the said vulnarability is already provided by eEye : Blink Endpoint Vulnerability Prevention. hmmm...

Actually MS's batting average is 2-4 months if you take all the vulns, most of which don't hit databases, but there's plenty of stuff in the 6-8 month bracket; and they have known - fixable - vulnerabilities classed by them simply as design faults which will not be fixed, ever, and are several years old.

Here's a juicy one, but of course, as per policy, you don't get the details, because then everyone would know, and we'd see spyware and stuff using it... that said, that might be the only surefire way to kick them into patching stuff they are being lazy with.

http://www.eeye.com/html/research/upcoming/2005032 9.html

NONE of the ones in the eEye upcoming list are scheduled for patches anytime soon, far as I know, and far as eEye knows (that said, eEye haven't heard much, if anything; MS are, contrary to what they say, extremely uncommunicative with some security researchers, and oddly cooperative and communicative with others, and we don't know why; possibly they only go for the easy fixes, but one of my open ones is an easy fix, and it's so overdue I am beginning to consider if a public disclosure, whistleblower style, might be the right thing to do even if it really annoys MS).

Oh yeah, and Microsoft just skipped a Patch Tuesday, refusing to release a patch out-of-cycle for an extremely critical hole in IE because they couldn't fix it properly and keep ActiveX working on the first try (and no, it's not that eEye one either).

Record, as far as I know, is 44 months from discovery and private disclosure, to patch. They're SHOCKINGLY bad, they typically won't even acknowledge a vuln unless you actually provide a fully working exploit (just demonstrating there is a buffer overflow will not do it, they want to see a working exploit with remote code execution first).

And if you want them to name you rather than get pissy at you, deny you any credit and shitcan your submissions in future, you'd better not disclose anything to anyone. And will they tell you if they're doing anything? Course not. You might, maybe, get a note from a human that the vulnerability exists. And the patch appears out of nowhere, what, 3, 4 months later?

Why don't you ask Skylined, or Liu Die Yu, or Georgi Guninski? Seriously -- MSRC are crap (though it's gotta be said, I hear Oracle are worse, known for sitting on working patches).

Mozilla aren't always great, it's gotta be said, but their response times are much better. and they're generally much sounder. Opera are great.

I think the big problem is that although security is a focus now, it's a PR focus; the problem they are trying to solve is the perception of bad security in Windows, because of course, if no-one knows what a swiss cheese it is, it might as well not be for most of the cases (and the other cases, well, they're not the type of people to report vulnerabilities after discovering them, but they're also not the type of people to give their exploits out until they're extremely old or independently rediscovered). They don't really want to make Windows more secure, they want to make it appear more secure, and while part of that involves fixing bugs, a large part of their bug management process seems to involve denying their existence, smokescreening, backpedalling, and plain not saying anything.

- A slightly annoyed security researcher, who (for obvious reasons) wishes to remain anonymous

http://www.eeye.com/html/research/upcoming/2005032 9.html

"organizational model"

einhverfr, there is a simpler explanation of the same thing, in my opinion. Microsoft was never relationship oriented. Mentally, Bill Gates and Steve Ballmer are still the socially disfunctional teenagers they were when they started.

Microsoft has never been a trust-based company. Anyone who tries to manage without examining the quality of relationships must manage by constantly testing the limits of what he or she can push other people to do. "Testing the Limits" management makes employees feel disrespected, because they ARE being disrespected. Before, programming was so exciting that employees were willing to be abused. Now that is beginning to change.

Microsoft has always sold mediocre products. The company has always been organized around taking advantage of technical ignorance, and around examining just how little people will accept. Think how miserable it is to work at a company that never does a good job!

Microsoft Basic was the first major product. It was poorly implemented and poorly documented. For example, there was no way to write a strictly binary file! An ASCII Hex 07 character would ring the bell rather than be written to a file.

Microsoft Assembler was provided with manuals printed from a dot matrix original. The assembler was unreliable. It would sometimes just not produce the correct instructions. The world had to wait for Borland Turbo Assembler to get a reasonably good assembler.

In an hour of testing the first version of Windows NT, which I had bought, I found 3 pages of serious bugs. My money was totally wasted.

The first version of Microsoft Access had huge bugs.

Microsoft Word in Office 2000 sometimes destroys its own files. (Tip: Open the Microsoft Word file in Open Office and save it as a .DOC file from Open Office. Then you will be able to open the file in Microsoft Word again.)

ChkDsk.exe (Check Disk) supplied with Windows XP Professional has a log file parameter. ("/L:size NTFS only: Changes the log file size to the specified number of kilobytes. If size is not specified, displays current size.") However, according to Microsoft technical support, Chkdsk does not actually produce a log.

Many other Windows XP command line interface programs don't actually work completely with Windows XP. The CLI is very incomplete and toy-like.

Microsoft software has had incredible numbers of very severe security vulnerabilities and Microsoft has been very slow to fix them. The vulnerabilities have cost customers hundreds of billions of dollars. If Microsoft had to pay for the destructiveness of all the vulnerabilities, Bill Gates would be the poorest person in the world, instead of the richest. Microsoft is like the cigarette companies. If the cigarette companies had to pay the total cost of cigarettes, including medical bills, cigarettes would not be profitable. If Microsoft had to pay for the damages caused by its mediocre software, Microsoft would not be a profitable company.

Apparently in an effort to create copy protection, Microsoft designed Windows XP to save configuration data from most programs in one huge file called the Registry. If that file somehow becomes corrupt, it can be impossible to repair for a reasonable amount of money.

Microsoft is managed around taking advantage of technical situations rather than managed around trying to develop good products. Microsoft is, in that way, more an abuse company than a software company.

Lets say we have two products both with a dozen (12) security holes. In six month, one releases patches for 6 of the 12 problems and the other releases patches for 11 of the 12 problems. Which is the more secure product, the one with 6 problems still left unaddressed or the one with 1 problem still left unaddressed?

Where are you getting the number 6 for exploits of IE? What is the true number of exploits available for each browser? How many of those 6 IE exploits include the ones that Microsoft has not announced and has left wide open. For all the upcoming advisories from eEye Digital Security, not a single one is currently for Firefox. So, I don't care which one had to be patched more in the past. I do care about which one should have been patched over 100 days ago and wasn't!

Lets say we have two products both with a dozen (12) security holes. In six month, one releases patches for 6 of the 12 problems and the other releases patches for 11 of the 12 problems. Which is the more secure product, the one with 6 problems still left unaddressed or the one with 1 problem still left unaddressed?

Where are you getting the number 6 for exploits of IE? What is the true number of exploits available for each browser? How many of those 6 IE exploits include the ones that Microsoft has not announced and has left wide open. For all the upcoming advisories from eEye Digital Security, not a single one is currently for Firefox. So, I don't care which one had to be patched more in the past. I do care about which one should have been patched over 100 days ago and wasn't!