Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: MSIE src&name property disclosure
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 09 Nov 2004 02:14:15 +0200

Dave Aitel wrote:

> This is another reason why studies comparing Microsoft's security to Open Source security are always bizzare. They compare the entire set of Linux vulnerabilities to a tiny subset of the bugs Microsoft knows about, but pretends other people don't. WINS is a classic example.

Actually, I personally have nothing against MS. They succeeded where many failed. Good for them!

Their bad attitude and bloody competitive nature can hardly be blamed in the world they compete in... and their corporate culture.. it's their own problem.

So where do I blame them? I blame them in how they treat me;

- They have released vague and mind-boggling advisories (where do I
  start?).
- They don't advertise most of their security issues (remember defcon a
  couple of years back with the CoDC and their "we already use that
  computer name?" issue? MS refused to give credit because "they were
  already aware of the issue").
- They hide security patches inside other patches (so much that the best
  way to find Windows vulnerabilities is to do reversing on their
  patches).
- They pre-patch products and for that reason hold on patches until such
  products are out (XP SP2).
- They insist on dealing with trouble by either ignoring it or killing
  it by applying a band-aid (I'll give only one example: winnuke and
  closing the port).

And don't even get me started on "viruses" (all the way back through macro viruses and beyond).

I don't envy, hate or mock Microsoft. I actually appreciate what they have accomplished. I have a serious issue with their way of doing business with non-competition - the way they treat me as a security professional.

All the above, is naturally, only my personal opinion. I may have some of the details not 100% accurate, but I stand by the spirit of the words.

I tried and start a good-natured FACTUAL discussion on the subject in the past - but all the kiddies always jump up and yell. In this case, even some of my best friends enter the yelling criteria.

Oh.. and any idea why MS keeps adding caches on caches on caches to solve problems? It turns me crazy. Which reminds me of a similar discussion on a list I own a bit back. Someone asked why IE keeps checking a certain Windows game - it was turning him crazy. So the Managing Director of a big disassembler/debugger company offered to make it a "surprise discount" on the order forms if someone wrote the name of the game there.
It was hilarious. :o)

That's the best you will see out of me on religion. I decide to comment on such issues about twice a year.

    Gadi Evron.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]