Stan Bubrouski wrote:
Ordinarily I'd argue, but its hard to when we find out Microsoft knew
about the bug for a long time and made a concious decision not to
patch it even though they knew it could lead to a system compromise.
People commented on how Microsoft put out a patch quicker than they
usually would but this is NOT THE CASE. According to Microsoft
itself, they knew about the bug months before it was reported in
December. Don't give credit where its not earned...
I'm going to try to walk the line here. I loath defending Microsoft,
and I'm not defending them for their historical conduct, but I still
can't see conspiracy theories being accurate yet.
A few incidents ("NSA" backdoor) aside, Microsoft's history with
security has been one of ineptness, not "maliciousness" per-se. This is
their history going back to before they purchased IE, and something that
became really evident when they first began rebuilding Mosaic. The WMF
bug is in line with their development methodology up until (and in some
ways including) recently. Microsoft's development mantra was, for a
long time, ease of use at the expense of everything else. When NT came
out and Microsoft moved from producing OS' that were not network ready
out of the box and toy-like GUI infrastructures, the impacts of that
strategy were transposed onto administrators and users (now more
vulnerable than ever) alike.
Ease of use became Ease of administration, and that became Ease of
development. Netscape and Sun was threatening Microsoft's monopolistic
paradigm with a new platform for application development that was easily
cross-platform and as a result, IE had to become an even more robust
method of distributing application and administration capabilities.
We now see the fallout of that decision. The web browser was never
meant to be an application subsystem - it was meant to interpret text
documents into more visual documents organized in a linked fashion. It
was never meant to run code on systems, but that's what it's become.
The act of making that easier attracted every simpleton web developer
who couldn't hack it anywhere else. Administrators saw ActiveX as a way
to remotely administrate PCs they couldn't get to in any other way.
These were mistakes... big mistakes from a security standpoint. But
security was second to attracting new fresh bodies who could fill the
seats and drone on endlessly about how awesome Microsoft was.
And this pattern is what I see here -- ineptness in the interests of
It's one thing to say that they sat on the knowledge that this was
exploitable. It's another thing entirely to claim that they knowingly
made it for the point of exploiting PCs if ActiveX was disabled.
Given their history and the hallmarks of this flaw, I have a hard time
making that leap.