MS Giving Exploit Writers Clues To Flaws
In the IT trench writes "How's this for a new twist on the old responsible disclosure debate? Hackers are using clues from Microsoft's pre-patch security advisories to create and publish proof-of-concept exploits. The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the Microsoft Security Response Center about how much information should be included in the pre-patch advisory."
All of those things like ActiveX, remote administration, etc. Anything that allows someone else to execute code on your computer; how did they ever imagine this would be a good idea? How about leaving some of that vunerable code out of the shipping product?
Just look at the name of the vulnerable service in the current newsflash; RPC, aka Remote Procedure Call. How nice of Microsoft to make the cracker's job easier - all he has to do is poke in his exploit code via the typical buffer / stack overflow and use the friendly Microsoft-supplied interface to trigger it.
That reminds me - didn't they make a big fuss a while back about how they'd gone over all the code and eliminated all the unchecked buffers, etc. Clearly that didn't happen; makes one wonder if they're lying or stupid...
It is melancolie that once a typical person learns a desk top manager, that that person will stay with that desk top manager; Even when it means giving up big bucks, as opposed to just downloading a copy of Ubuntu 7.04 - For Free! Microsoft knows this, cold. When it comes to those who would exploit users sloth for purchasing a known product riddled with flaws, it only takes a enterprising few to ruin every microsoft user's day; Globally. One should notice that Microsoft's "Software Agreement" says you can not sue them for their negligence, but not the other way around. Mircrosoft may be many things, but foolish is not on that list.