Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Steve Gibson smokes crack?
From: bkfsec <bkfsec () sdf lonestar org>
Date: Fri, 13 Jan 2006 16:24:42 -0500

Stan Bubrouski wrote:

Ordinarily I'd argue, but its hard to when we find out Microsoft knew
about the bug for a long time and made a concious decision not to
patch it even though they knew it could lead to a system compromise.

People commented on how Microsoft put out a patch quicker than they
usually would but this is NOT THE CASE.  According to Microsoft
itself, they knew about the bug months before it was reported in
December.  Don't give credit where its not earned...

I'm going to try to walk the line here. I loath defending Microsoft, and I'm not defending them for their historical conduct, but I still can't see conspiracy theories being accurate yet.

A few incidents ("NSA" backdoor) aside, Microsoft's history with security has been one of ineptness, not "maliciousness" per-se. This is their history going back to before they purchased IE, and something that became really evident when they first began rebuilding Mosaic. The WMF bug is in line with their development methodology up until (and in some ways including) recently. Microsoft's development mantra was, for a long time, ease of use at the expense of everything else. When NT came out and Microsoft moved from producing OS' that were not network ready out of the box and toy-like GUI infrastructures, the impacts of that strategy were transposed onto administrators and users (now more vulnerable than ever) alike. Ease of use became Ease of administration, and that became Ease of development. Netscape and Sun was threatening Microsoft's monopolistic paradigm with a new platform for application development that was easily cross-platform and as a result, IE had to become an even more robust method of distributing application and administration capabilities. We now see the fallout of that decision. The web browser was never meant to be an application subsystem - it was meant to interpret text documents into more visual documents organized in a linked fashion. It was never meant to run code on systems, but that's what it's become. The act of making that easier attracted every simpleton web developer who couldn't hack it anywhere else. Administrators saw ActiveX as a way to remotely administrate PCs they couldn't get to in any other way. These were mistakes... big mistakes from a security standpoint. But security was second to attracting new fresh bodies who could fill the seats and drone on endlessly about how awesome Microsoft was.

And this pattern is what I see here -- ineptness in the interests of feature-creep.

It's one thing to say that they sat on the knowledge that this was exploitable. It's another thing entirely to claim that they knowingly made it for the point of exploiting PCs if ActiveX was disabled.

Given their history and the hallmarks of this flaw, I have a hard time making that leap.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]