Slashdot Mirror
Howard Schmidt Resigns As Cybersecurity Advisor
scubacuda writes "CNN and others report that former Microsoft chief of security Howard Schmidt has resigned as White House cybersecurity adviser. 'With the historic creation of the Department of Homeland Security, the transfer of many of the responsibilities from the Critical Infrastructure Protection Board and the release of the strategy, I have decided to retire after approximately 31 years of public service and return to the private sector,' Schmidt said in his April 21 e-mail."
For example, Microsoft was notified of the issues, concerning only Microsoft implementation of its JVM, on September 2nd 2002 and after SEVEN MONTHS on April 9th 2003, Microsoft have issued an update to fix the problem.
Such a delay with such a serious vulnerability is so abysmal that it borders on the absurd.
Quality and security are measures which only mean something when compared relatively to another.
There is no absolutely secure, therefore you must expect, that once a vulnerability is made known to the vendor, the vendor should do their utmost to close the Window of Exposure ( http://www.counterpane.com/window.html ) as soon as possible.
For example, with the lastest SAMBA vulnerability, once notified, the SAMBA developer owned up to the mistake and the SAMBA project released a patch within 48 hours. Within aother 24hrs, redhat had already backported the patch into their distributions RPMs. Similarly any major security issues in Mozilla and Netscape browser are also fixed and updateable within a couple of days
Meanwhile, there are currently 13 KNOWN unpatched vulnerabilities in Microsoft's Internet Explorer ( http://www.pivx.com/larholm/unpatched/ ).
Some DANGEROUSLY EXPLOITABLE have not been fixed in over a year ( http://security.greymagic.com/adv/gm002-ie/ ). That Microsoft has not rewritten the scripting system embedded with IE so that it is sandboxed by default is bad enough, but to have such major unpatched vulnerabilities exposed for months is abysmal.
Other inherent vulnerabilities, such as the Shatter attack ( http://security.tombom.co.uk/moreshatter.html ), Microsoft has known about since 1994!
Even if the API/call flaw is inherently unfixable, that is plenty of time for Microsoft to implement a safer methord/systemcall/API, adapt it's own applications to use the safer methord and depreciate the unsafe API.
It also appears that Microsoft 's own implementation of SMB is vulnerable and Microsoft has known about it for over eight years ( http://developers.slashdot.org/comments.pl?sid=599 60&cid=5681769 ), but Microsoft either choose not to, or cannot fix the problem themselves.
Microsoft is clearly not closing the vulnerabilities they are aware that exist in their products and services.
A year after after Bill Gate's Email promoting securtiy over functionality, Microsoft by choice, remains neither secure or trustworthy.
Microsoft's attitude towards the security of it's products, service and customers is abysmal.
From Jason Coombs' A response to Bruce Schneier on MS patch management and Sapphire ( http://www.securityfocus.com/archive/1/315158 )