One just has to look back at Jim Allchin's (VP of Winows OS division) testimony in which he states that if M$ where to open even some of Windows OS source code, it would be a danger to National Security. Even in the book "Hack Proffing Your Network" whose authors often are found in Security Focus, there are very strong warnings of Monoculturism.
The mere fact that a malware author needs to write for one poor api set creates a cascading effect which the authors of the CCIA Report warn of.
I aggree that there are draconian "fixes" included in this report. However, overall, they are right on the mark on the dangers of monoculture enviroments. Look, M$ can't get their latest patches right. There still is DoS in RCPDCOM, IE is broke beyond repair, GDI will always be exploitable (read Chris Paget's work on Shatter attacks 1,2,or 3), And untill the Win32 api is rewritten, we are going to see buffer explot after buffer exploit.Even much touted TPA is flawed to exploits. Xbox? Windows 2003? M$ has a long way to go to be soley depended on in a secure fashion, unless you unplug it from the Internet (secure by design).

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/190/23097#23097