lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 23 Jan 2010 08:57:12 +0200
From: Gadi Evron <ge@...uxbox.org>
To: funsec <funsec@...uxbox.org>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	full-disclosure@...ts.grok.org.uk
Subject: Perhaps it's time to regulate Microsoft as
	Critical Infrastructure?

[I have given this some thought, edited my argument, and am moving this 
message to its own thread.]

Microsoft has put a lot into securing its code, and is very good at 
doing so. However, is it doing enough?

My main argument is about the policy of handling vulnerabilities for 6 
months without patching (such as the Google attacks 0day apparently was) 
and the policy of waiting a whole month before patching this very same 
vulnerability when it first became an in-the-wild 0day exploit (it has 
now been patched, ahead of schedule).

Microsoft is the main proponent of responsible disclosure, and has shown 
it is a responsible vendor. Also, patching vulnerabilities is far from 
easy, and Microsoft has done a tremendous job at getting it done. I 
simply call on it to stay responsible and amend its faulty and dangerous 
policies. A whole month as the default response to patching a 0day? Really?

With their practical monopoly, and the resulting monoculture, perhaps 
their policies ought to be examined for regulation as critical 
infrastructure, if they can't bring themselves to be more responsible on 
their own.

This is the first time in a long while that I find it fit to criticize 
Microsoft on security. Perhaps they have grown complacent with the PR 
nightmare of full disclosure a decade behind them, with most 
vulnerabilities now "sold" to them directly or indirectly by the 
security industry.

	Gadi.


-- 
Gadi Evron,
ge@...uxbox.org.

Blog: http://gevron.livejournal.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ