Microsoft's 3Ms at work again (Money, Marketing, Muscle)!

Oh yea- let us include Microsoft's absence of true honesty when it comes to dealing with their customers (but that could fall under the category of Microsoft Marketing).

Example of recent issue where full disclosure and open discussion means something to users (from Unicode comments on different Secrurity focus discussion):

http://www.securityfocus.com/cgi-bin/columnists-item.pl?id=33&msg=8531#MSG

----------------------------------------------------

Q: If this Unicode thing has not been fixed, then can it be fixed?

Maybe, but there are about 27 more exploits based on the above that I am aware of that we and some other folks have been experimenting with. Fix it, no. Keep patching it, yes. It will be broken shortly after they fix it and so on... too many lines of code, too little time, too many folks that hate them and are motivated to break whatever slop they cobble together.

Q: Is this problem limited to Microsoft OS, IIS and apps?

Absolutely and I blame it on poor programing practices and the inherent nautre of the architecture (DLL's) yeah OK, can you say staticly linked libraries instead! Yes, UNIX has "shared objects" (SO) and "dynamically shared objetcs" (DSO) but you can control their behavior and run them in a "chrooted" or not authoritative/destructive manner.

Q: Does the Unix family of OS and apps have the same weakness?

Some, but I'll take a UNIX OS and it's apps any day of the week before I'll take MS and IIS. As it was said earlier, at least I can go home at night at rest reasonably well...

---------------------------------------------------

This is why we need full disclosure because does Microsoft already know this (and is not telling)???

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/277/8596#8596