On mySimon: Kidkraft Savannah Dollhouse
BNET Business Network:
BNET
TechRepublic
ZDNet

April 3rd, 2007

Why is Microsoft hell-bent on ruining its reputation?

Posted by George Ou @ 12:17 am

Categories: Browsers, Desktop, Hardware, Microsoft, News, Security, Vista

Tags:

Microsoft had multiple chances to release a patch for the ANI (Animated Cursor) Exploit in the months of January, February, and March but failed to release any patches for the vulnerability that was originally disclosed privately to Microsoft on December 20, 2006. Now we're getting an emergency patch today, one week before the regular patch cycle, and Microsoft seems to think that this is a success story on its "quick" response to this zero-day exploit. Here's what an MSRC blog has to say:

"I’m sure one question in people’s minds is how we’re able to release an update for this issue so quickly"

Um, no not really; the question on my mind is why has it taken Microsoft three and a half months to patch a vulnerability that was disclosed to it in secret, wait until after the vulnerability was being exploited in the wild, wait until a third party came out with a third-party patch, and wait until after this became a public relations nightmare to come out with an out-of-band patch. This isn't the first time either. The last time Microsoft came out with an out-of-band patch was the WMF exploit, and that was under the same circumstances with massive negative press. But if it's just little old me complaining about Microsoft not patching a zero-day Internet Explorer flaw until the next scheduled cycle, it just falls upon deaf ears.

What's even more frustrating is that DEP (Data Execution Prevention) in Windows XP SP2 or Vista, when enforced with hardware NX/XD support, will stop this exploit. (I verified this in the lab.) But Microsoft won't turn it on for all applications by default, nor will it even mention it in its advisory. Almost all new PCs within the last year have been sold with NX/XD capability, and it's a simple switch to turn it on in Windows XP and Vista. Yet most people have it defaulted to off for everything except a few critical applications and services. There are only a few applications that are incompatible with DEP, and there are workarounds for them. The problem is that Microsoft doesn't want to deal with the technical support when those applications break, though the amount of breakage is far less than Vista UAC. The only applications I ran into with DEP incompatibility were Skype (though they fixed it in four days after I brought it up) and Microsoft Live Meeting (still not sure if they fixed it). But if Microsoft made DEP all-on the default setting in Windows Vista, more application vendors would be forced to fix their applications to use secure coding practices. I recommend to anyone who's reading this to go ahead and use DEP protection using this hardware and DEP configuration guide.

This isn't the only example of Microsoft ignoring imminent zero-day threats. It has treated Office zero-day exploits in the same casual "we'll patch it when it's ready" manner. That prompted me to write "Is MS Office becoming a zero-day liability all year long?"  Back then, there were no Office 2007 vulnerabilities yet, and I figured Microsoft was just dragging its feet on older versions of Office (which is just as bad, since they're widely in use). But there was a zero-day exploit reported for Office 2007 on 2/27/2007, and Microsoft couldn't come up with a patch for 3/13/2007 to plug that hole, leaving it for at least another month. While there are some factors in Windows Vista that can mitigate some of the damage that can be done, we can't discount these vulnerabilities as extremely critical since user data is at risk of theft, deletion, or ransom though encryption, and Microsoft's users are massive targets.

The fact of the matter is that Microsoft has done a relatively good job auditing its code and keeping its exploit count to a minimum, but it seems hell-bent on perpetuating the perception that Microsoft is a joke when it comes to security. For example, there have been only four critical exploits for Windows Vista this year compared to Apple's 62 critical exploits in the same timeframe, but that doesn't really matter. Since Microsoft is the biggest target because of its market share, Microsoft users will get attacked first. It doesn't matter how much hard work Microsoft puts into the SDL (Security Development Lifecycle) and how successful SDL is if it won't patch its few remaining vulnerabilities in a timely matter. Microsoft's customers will still be victims of malware, and Microsoft's reputation will still be in the tank — and frankly, it's mostly deserved if it won't take timely patches seriously.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 82 Talkback(s)
I am frankly tired of the whining!
I have been a MS OS/App user for years and I don't like all the bugs and vulnerabilities. But you know what, I know they are there and I have NO expectations from MS. If they patch it fine, if not f... (Read the rest)
Posted by: andrej770 Posted on: 04/30/07 You are currently: a Guest | | Terms of Use
Some explanations  bportlock | 04/03/07
Something needs to change alright  georgeou | 04/03/07
You asked the question  deaf_e_kate | 04/03/07
You want something more specific?  bportlock | 04/03/07
That would place too level of a playing field.  Zoraster | 04/03/07
Can you imagine  Fred Fredrickson | 04/03/07
That would suck as bad as Linux  No_Ax_to_Grind | 04/03/07
Your two days late!  linux for me | 04/03/07
Such a separation would also mean...  bportlock | 04/03/07
Good analogy - couldn't agree more  intrepi@... | 04/03/07
The Mac  lantzn | 04/03/07
Wouldn't work.  osreinstall | 04/03/07
The judge wanted to  JJQ1000 | 04/03/07
I never said it was an *original* solution  bportlock | 04/04/07
Hi  TheBoyBailey | 04/03/07
Still Blogging at the Airport?  nucrash | 04/03/07
Ou is not a journalist!  An_Axe_to_Grind | 04/03/07
Try and say something worthwhile  intrepi@... | 04/03/07
Nitpicking  klumper | 04/03/07
I at least allowed him an excuse  nucrash | 04/03/07
just a thought or 2  richvball44 | 04/05/07
And a third thought, for measure!  karma_police | 04/10/07
Someones got the right idea..  Brandon Dixon | 04/03/07
The issue is regression testing  No_Ax_to_Grind | 04/03/07
You don't regression test exploits!  bportlock | 04/03/07
Like NT 4.0 SP6a?  Robert Crocker | 04/03/07
Silly me  tombalablomba | 04/03/07
Massive targets  Chad_z | 04/03/07
You're such a phoney  John Zern | 04/03/07
What's fake about that?  Chad_z | 04/03/07
Wierd  ImUpAbvIt | 04/03/07
I wouldn't say he is paranoid.  Linux User 147560 | 04/03/07
Likewise  xuniL_z | 04/07/07
Public Relations eats at the bottom line  Xwindowsjunkie | 04/03/07
More along the MS Way  klumper | 04/03/07
Only TROLLS think they have a good rep to uphold!  An_Axe_to_Grind | 04/03/07
Are you speaking from personal experience ?  intrepi@... | 04/03/07
Here it is the 3rd and Microsoft has not post a fix  waynearcelectcom | 04/03/07
Goodness gracious, George!  whisperycat | 04/03/07
guess you missed this part...  Arm A. Geddon | 04/03/07
NEXT Generation  lantzn | 04/03/07
re: NEXT Generation  Arm A. Geddon | 04/03/07
DESIGN SECURITY IN  Resuna | 04/03/07
Bells and whistles can create a bomb  intrepi@... | 04/03/07
WOW  Freebird54 | 04/03/07
FUD per square inch  aurora72 | 04/03/07
FUD?  NotBornYesterday | 04/03/07
no  rwahrens1952 | 04/04/07
au contraire ...  NotBornYesterday | 04/20/07
As a Programmer and in defense of Microsoft...  nucrash | 04/03/07
What?  wjgrimm | 04/03/07
MS doesn't deserve defense on this ...  NotBornYesterday | 04/03/07
Have you seen the speed of the Corporate Machine  nucrash | 04/03/07
Understood  NotBornYesterday | 04/03/07
sorry, the corporate machine has nothing to do with it  mdsmedia | 04/05/07
True - but  Freebird54 | 04/03/07
The cause is poor coding  JJQ1000 | 04/03/07
While your point is well made...  mdsmedia | 04/05/07
Well, then...  intj-astral@... | 04/05/07
and "Have you stopped beating your wife yet"  jt@... | 04/03/07
Here we go again, and again, and again....  IAHawkeye | 04/03/07
Now...  D-T-Schmitz | 04/03/07
What's spooky is...  gskiii | 04/03/07
Users are demanding Choice  D-T-Schmitz | 04/03/07
POW  lantzn | 04/03/07
Microsoft ruined its reputation with Word 6  labarker | 04/03/07
I always thought they did it with Windows 95  kwsjr82 | 04/04/07
MS vs Hookers  jack-daniels@... | 04/04/07
MS et al, all trying to ruin their rep ....  jack-daniels@... | 04/04/07
MS auditing has issues...  kRogue | 04/04/07
Why?  cd003284@... | 04/04/07
I'm in total agreement with George...  heres_johnny | 04/04/07
missing the point...  calm_pc | 04/04/07
Microsoft's Reputation is Completely Secure (unlike their OSs)  solar_satellite | 04/05/07
Exactly  Bucky24 | 04/05/07
More applause!  Ole Man | 04/07/07
Microsoft FUDs its own product (sigh)  intj-astral@... | 04/05/07
Stop it, George  MacKeyser | 04/06/07
Reputation?  Win3.1 | 04/06/07
Securty Quagmire Caused by Poor Architectural Choices  Sxooter_z | 04/10/07
Complacency  hanoveral@... | 04/11/07
I am frankly tired of the whining!  andrej770 | 04/30/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement
Click Here

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    Click Here