Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft's Real Test with Vista is Vulnerabilities
From: Brate Sanders <brate_sanders () yahoo co uk>
Date: Tue, 27 Jun 2006 13:11:14 +0000 (GMT)

Honestly, do you believe MS would care too much about security in Windows or their applications? If they did, would 
they come out with the One Live subscription based solution to protect against their design/implementation 
vulnerabilities? Once One Live subscription becomes more wide spread you can expect press releases like, if you are 
using One Live this vulnerability will not affect you. If not we are working on a solution for your problem, which may 
be available in your next monthly patch cycle.

Microsoft has tried multiple times in the past to come out with a subscription model for Windows, which has failed 
every time. So now they have another oppurtunity to get into the subscription based model. They may even give away 
Windows OS for free and just charge you for the OneLive solution, since it is a better business model any way you 
consider it.

So if they can earn more from the subscription based security solution where is the incentive to make the OS more 
secure? Eventually they are a corporation aimed at maximizing their shareholder value.

Brate Sanders

----- Original Message ----
From: Gadi Evron <ge () linuxbox org>
To: bugtraq () securityfocus com
Cc: funsec () linuxbox org; full-disclosure () lists grok org uk
Sent: Tuesday, 27 June, 2006 5:15:20 PM
Subject: [Full-disclosure] Microsoft's Real Test with Vista is Vulnerabilities

Vista, the solution to all our problems: Microsoft portrays Vista as
anything from the end of software vulnerabilities to the end of spyware.

In my opinion, that is irrelevant as both problems are not going to go
away. They are part of how software systems and the Internet work, and
that's that. The Bad Guys with their ROI won't give up that easily.
What is going to happen though is that creating and exploiting these would
become more difficult.

*Vista is not the Holy Grail or some "silver bullet". It is a test for
Microsoft. It will be a clear indication of how far Microsoft has advanced
in the realm of developing secure software, if at all*.

How so...?

In the past I posted claims that stated Microsoft has advanced
considerably in recent years, and today, it has become very difficult
to find vulnerabilities in Microsoft products. Naturally this doesn't
apply to Internet Explorer. :)

Their code is very professional and heavily reviewed. Unless you spend
significant resources and time on the task, you are not likely to find
even Denial of Service vulnerabilities, not to mention Code Execution
vulnerabilities in their code.

When you do find one, the vulnerability will most likely be a logical
flaw. Microsoft has no problem committing incredible resources to code

However, we need to take into account the Excel case:
Last December Noam wrote of eBay bids on an Excel 0day vulnerability, 
which later on were also announced on the Full-disclosure mailing list.
The issue of bidding for exploits on eBay lead to a heated discussion and
many blog entries.

In the coming months after that, Microsoft announced in it's monthly
security patches release (Patch Tuesday a.k.a. Black Tuesday) several
Excel vulnerabilities.

In this last month, it happened again.

Then the first (but not last!) of the Excel 0days was disclosed. Here is
what Juha had to say about it.

What does this mean, and how does this work with what every decent reverse
engineer will tell you: Microsoft's code is very professional.

The answer is divided into two:
1. QA.
2. Untouched code-base.

Microsoft is basically using legacy code that has been reviewed and
attacked countless times by countless people since Windows NT if not, in
some cases Windows 3.1 (gdi32.dll anyone?).

Is it any wonder new vulnerabilities are so difficult to come by? Everyone
in the industry has been trying for, at the very least, over a decade. We
can't tell if their code is that good due to their ability.

Excel on the other hand is code-base which didn't in the past receive that
same kind of scrutiny very often. When the kiddie on Full-disclosure and
eBay issued his challenge, what happened was that many people started
aiming at Excel.

Much like it often happens with vendor advisories with little to no details, new
vulnerabilities were found other than the one the kiddie (whoever or
whatever he really was) supposedly found.

Several patch releases with official bullet-ins, several 0days... fun,
ain't it? Not related you say? Maybe.

So.. yes. Microsoft's code is very professional, but we can't really rank
their ability on it due to the immense efforts by everyone outside of
Microsoft to do their QA for them.

When Vista comes out, regardless of all the cute security features it will
have. some of which will raise the bar for security researchers, it
*WILL* have vulnerabilities.. and not too long after the release.

The amount of vulnerabilities and their complexity will tell us more of
Microsoft's real ability with security today, than anything else.

Microsoft can claim Vista is the Holy Grail all they like, and indeed,
some of these security features are intriguing... in my opinion though,
the real question is what Vista will show us:
1. It's a new untested code-base out for play.
2. Microsoft supposedly learned a thing or two since Windows 95.

Your guess is as good as mine and the results of this test will be very

    Gadi Evron.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]