ydns' blog
information security, the outdoors and me RSS 2.0
# Saturday, January 07, 2006
Microsoft manages to do their job, hurrah. One non-Microsoft developer does it quicker and better, sweet!

Microsoft needs to provide free builtin 0-day protection to their OS's.

So as many have probably heard, this Microsoft Windows WMF vulnerability was getting massive amounts of security community attention including a well dissected hotfix from a well known developer.  So I myself sent two critical emails to Microsoft trying to encourage them to work with this community effort for a quick hotfix.  They were both essentially dismissed via replies, but I'm sure that my emails along with the hundreds of others they probably received made the points of concern clear.

   This wasn't about profit, "open source" or even "free 0-day protection", but about protecting Microsoft customers.  This is a key part of their Trustworthy Computing initiative.  There were numerous people working to identify the security vulnerability, test it and discuss it.  When everyone complained to Microsoft about the situation, clearly Microsoft noticed that the customer wasn't satisfied by waiting 10 days for a hotfix.  If a non-Microsoft developer could build a "patch" to protect users, get it tested and deployed in 4 days, then Microsoft should be able to do that or better.

As it turned out Microsoft addressed the same exact piece of code that was a concern.  So the "unofficial" patch was correct and protected users.

Now the big point is, why can't Microsoft do something like this quick hotfix?  Well, sounds like Microsoft doesn't think they impacted their customers enough by costing them untold millions in lost productivity and revenue with all of the vulnerabilities over the years.  Apparently Trustworthy Computing means "Trust Microsoft, and only Microsoft".  This is an unacceptable stance in the realm of information security.

Microsoft could easily build a framework to deploy quick hotfixes that merely block vulnerable code.  They don't need to fix the code immediately, just offer something that block access to the bad code.  This is why the unofficial hotfix was so perfect.  It didn't ask users to replace a file provided by Microsoft, just put one in the middle and intercept the vulnerable code.

All in all, I really think that Microsoft is afraid of too many things, not unable to solve the problem. I'm sure there are IP questions about 3rd party hotfixes. I'm sure there are patch availability, reliability and trustworthiness concerns. But I'm also sure Microsoft can do a whole lot more to protect its users than it is doing today.

So, go demand that Microsoft build a 0-day protection framework that protects their customers.

Saturday, January 07, 2006 12:56:32 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
tech
Navigation
Home
My Resume
Bink
CERT
Microsoft Technet
SANS
Security Focus
dasBlog
SourceForge
Categories
 
 
 
 
 
 
Archive
<January 2006>
SunMonTueWedThuFriSat
25262728293031
1234567
891011121314
15161718192021
22232425262728
2930311234
Blogroll
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2009
ydns
Sign In
Statistics
Total Posts: 68
This Year: 1
This Month: 0
This Week: 0
Comments: 3
Themes
Pick a theme:
All Content © 2009, ydns
DasBlog theme 'Business' created by Christoph De Baene (delarou)