Discussion in 'Article Discussion' started by CardJoe, 30 Apr 2010.
If High-Tech Bridge had not done this I think M$ would have dragged their feet in patching the exploit. Now they have been forced to look into the problem and address the hole.
"We're sorry that we had to kick you in the face to show you how easy it is to kick you in the face."
they perhaps shouldn't have released proof of concept exploit code
To be honest I don't think it would have made any differance if the code was not released. As the disclosure would have detailed the issue and any professional hacker would have been able to write their own working code from it.
+1 couldn't have said it better my self
Meh, two weeks is a long time on the internet. With something this severe, ms should have been much quicker off the block.
You give 6 months for the developer to address the issue. Its common courtesy.
On the other hand, if you do NOT force Microsoft's hand; they tend to conveniently leave such reports on the shelf for over several months. (Even years.)
Its commonly known that Microsoft doesn't address security problems unless you force their hand. The problem is the internal structure and politics of the company. (It results in them in being slow to respond to anything.)
Many end-users think its the hackers and security researchers being the problem. Understand that they are the ones that have time and time again showed that there is something wrong with MS solutions. They are broadcasting an obvious signal...The problem is: No one is listening to the obvious!
Few have actually realised computer security sloppiness for the average consumer is because of the way Microsoft has done things.
Think about it...
(1) They are willing to compromise security for usability...Then cover a flawed implementation with market spinning.
eg: Windows 7's UAC default setting is flawed. It automatically allows one to run code embedded in a DLL with FULL admin privileges. As the setting auto-trusts rundll32.exe without warning the user...It means I can write malware and you won't be notified when the malware uses admin privileges to execute code...You need to set it to "Always Notify". But then, this behaves exactly like it did in Vista!
To cover this up: MS marketing has said Windows 7's UAC isn't a "security boundary". That's BS. They know it. They just won't admit they f**ked up with the design because it will potentially kill their Windows 7 sales. (Windows 7 is what's really making MS money; while they burn a truck load of cash on their Bing in order to compete with Google...Check their recent financial reports; you'll see this.)
(2) Their implementations are sloppy in security.
Here's what I mean: At a fundamental level, the way they do things sound nice on paper and marketing. But when it comes to actually implementing things or testing them on the real battlefield that is the Internet; its a bit of a joke.
All those mechanisms like ASLR, DEP, Protected Mode, etc sound great for marketing security for Windows.
In reality? Every competent hacker or "security researcher" knows how to circumvent them. They do nothing when the code itself is flawed. (This is why IE loses in the annual Pwn2Own competition...IE needs to be re-written completely. This isn't going to happen as it costs time, money, and resources.)
(3) Poor default settings.
The way they offer things by default is like giving a teenager free access to a can of petrol and some matches...Then letting them lose.
Windows is an "Allow by default" system. The reason for this is because they want it to be as easiest as possible...The way they go about it is flawed from a security perspective.
Then to compensate for this flaw; people are led to believe security can be achieved by installing anti-malware applications. These actually fail miserably in the real world. AV approach doesn't work against serious threats. It is a reaction. It will always be behind...And AV companies cannot keep up with the sheer number and variants of crap out there.
The hard reality is that people need to change their approach to computing. ie: "Deny by default".
It means only installing known clean/legit apps and denying stupid behaviour.
I did this for a company: Employees complain how they can't do this and that...
We respond by: "You aren't paid to play, view porn, social network, or install programs at your leisure. You're here to do a job you're being paid for. We've provided the applications you need for that job. If you want do all that other stuff; do it on your own time and your own systems."
Result? Malware issues no longer exist. We have more problems with flakey quality hardware.
My overall point is this:
Without hackers and other talented individuals; companies like Microsoft, Apple, Adobe, etc wouldn't care about security. The end-user or consumer would be completely oblivious of how flaky things are being implemented. (Why would they care if the money keeps rolling in?)
As a paying customer of Microsoft products; you folks must demand more from them.
...Because the software you're getting isn't worth what they're asking for.
ie: For every dollar you are spending on software that bombs, has security issues, requires endless patching, etc; you're getting 59 cents worth of value.
That's from a guy I know who designs/implements highly reliable software...The kind of software that you can bet your life on; that regularly passes US's NSA scrutiny; and where the only bugs found, are due to typos in the documentation.
good post aussiebear.. couldn't have said it better
they are getting the failed mohave experiment to roll in some money
the uac has bothered me in 7 since it released.. really it's a joke to have it ship on that setting- not to mention whitelist a number of set apps like notepad.exe
guys were getting elevated without any warnings during rc.. but to credit them- a lot of people were running with the uac off in vista anyways (basically they didn't know how to use the task scheduler to run elevated)
it is a bit more user friendly and they did a lot of the tweaks needed right out of the box.. far as sharepoint- doesn't surprise anyone really
when you look at proprietary software.. this will always happen- it's a small group of programmers
just use Linux and run windows in sandbox when u need it. Never run in SU and you will notice that you no longer need AV because you have to in put SU password to install software, which gives you a moment to go... hhmmm?? do I think this is a safe piece of software from a reputable source?
Though I guess This does pre-suppose a certain level of "PC know how"
(there goes a big percentage of users). >Some times I forget how little the average Joe knows about PCs and windows
"that thing that keeps my feet warm at work" (from a service line call)
I will never forget that one......
So easy to slam MS. What is missing is that ALL companies have to evaluate the severity of a flaw, risk management. Maybe this particular vulnerability is likely to be accessed under certain conditions. Or it could be this code could have significant consequences on certain hardware or other software configurations. Any fix must be validated to ensure the fix doesn't become a bigger problem than the original flaw. I don't have first hand exp with MS but this knee-jerk reaction happens every time someone finds a flaw.
What is the motivation of High-Tech Bridge? Is it genuine or are they drumming up business? No, I am not implying that they are but merely suggesting that such questions need to be asked. If it is so easy to slam MS, don't forget to look at who is crying foul and why.
To those who love pointing out Linux is so secure, or that Apple is so safe, it is only because they are small, proprietary, and MS is so big. If MS falls by the way side hackers will focus their attention on Linux, Apple, or whoever were to fill the void. It's the nature of the beast.
Sounds like I am defending MS, no. Just that perpetual, one-sided, knee-jerks that follow every announcement like this are long on critique, short on overall system management process understanding, sound naive to me.
Separate names with a comma.