Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Security Development Process Under CC License

Posted by timothy on from the share-nicely dept.

An anonymous reader writes "The H Online writes: 'Microsoft has placed its process for secure software development under a Creative Commons License. The company hopes that this will lead to more developers utilising its process for programming software more securely across the entire product lifecycle ...'"

3 of 164 comments (clear)

  1. Re:Oh boy... by DJRumpy · · Score: 5, Insightful

    Yes and no. The MS OS is actually written with a lot of safeguards in place to make the OS more secure. Years of being attacked tends to make one a bit defensive and certainly more technically adept.

    I think their problems are on multiple fronts:

    Overly complex code
    Lax permission requirements,
    Too many admins (still default on workstation installs)
    Poorly written apps that in turn requires them to bend the rules or to provide workarounds.

    MS could take a hard line, and force apps to comply with OS guidelines, but they'd be shooting their compatibility in the foot. although I see them nudging folks in that direction, with more functions locked out by default, they have a long way to go. Instead, they bend over backwards to try to work around compatibility issues and legacy support, and as a result, leave tons of loopholes. I had great hopes for their VirtualPC bit and was hoping they would take a more Apple-centric approach, allowing them to just start with a fresh slate while virtualizing old OS compatibility. It appears that was a wasted hope however...

  2. MS Security... by leromarinvit · · Score: 5, Insightful
    Ahh yes, I can see it now:
    • Never check your input, no matter where it comes from
    • Make sure to make your algorithms as complex as possible so you don't run out race conditions and other non-trivial bugs, preferably in security critical areas
    • Embed your security flaws in specifications you'll have to honor forever to maintain backwards compatibility
    • Most importantly: When (not if) somebody finds a bug and reports it to you, don't fix it at once. Only when an exploit is out in the wild you can even start thinking about how to fix the bug.
    --
    Proud member of the Ferengi Socialist Party.
  3. Re:Oh boy... by nmb3000 · · Score: 4, Insightful

    Yeah, as I indicated, it's called "Windows Updates" - check it out sometime!

    Perhaps now you see what I am talking about... if not, check your hotfixes/ Windows updates, read what they supposedly fix, then look at the similarities between the multiple attempts to fix the same damn issue over and over again.

    So the answer is... No, you don't have any real sources. The generic description that comes with a Windows Update is just that -- generic. They all sound pretty much the same. Even the MS security bulletins like you linked to are usually pretty scant on details because they're designed to give an overview, not the nitty-gritty exploit information found elsewhere. I did look around Google for references to privilege escalation issues with .NET and didn't find anything.

    If multiple updates which all say "This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight." has you convinced they've been trying to patch the same vulnerability for 10 years, then you have other issues.

    As it stands, the specific vulnerability you point out doesn't even mention privilege escalation! It's also blazingly obvious what "Users whose accounts are configured to have fewer user rights on the system could be less impacted" means. If you don't have admin rights the worst thing the malware can do is put some entries in your startup folder/registry. If you're a full-on admin then we're talking kernel-mode drivers, raw disk access, machine-wide registry changes, the whole shebang. Big difference between the two.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)