Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [News] Microsoft Has Kept Dangerous Known Flaws Secret for Months, Until the Attacks Began

Roy Schestowitz wrote:

> Microsoft knew of Windows .ANI flaw since December 2006
> 
> ,----[ Quote ]
> | A private security research outfit says it notified Microsoft about
> | the animated cursor (.ani) code execution vulnerability since
> | December 2006, a full four months ahead of yesterday?s discovery
> | of Internet Explorer drive-by attacks.
> `----
> 
> http://blogs.zdnet.com/security/?p=143
> 

The tricky bit, although I have no doubt that the story is correct that
there are ways to crash the animation and do whatever. The problem here is
that many a software security vendor wanting a bit of a free advert can
pick almost anything, poke it till it breaks, then issue a security
warning. And poor old MS are expected to run breathless from one security
vulnerability to the next.

But half the time it's nutters or companies after a bit of free advertising.

MS can't put all resources into every shout, I bet your left sock if you saw
MS post you would see thousands that are pure junk and in those maybe one
that is genuine. So for each vulnerability called, MS has used up people
and time in the post room looking for the genuine, but these gals are ex
waitresses who don't really know the difference. So they sort the mail into
simmilar looking groups (probably based on the first paragraph) and pass it
to where they think it should go.

So already the bloke who is responsible for finding true and genuine flaws,
stands a good chance of missing the genuine vulnerability and just ends up
reading junk mail all day long. He'll get bored with that quite quickly and
go from reading the whole first paragraph to doing it the same way I do
with interviewees.

You look at the letter, no reading involved, if it looks like it might be a
pain in the eyes to read then its in the bin. That gets rid of at least
half. Another quarter gets binned for windyness on the first page. So its
all reduced to a nice little pile in no time at all. But of cause I might
have missed the next Albert Einstein, he wasn't well known for his writing
abilitites, but still better to miss an Einstein than waste a day reading
crap.

We all know Vista is crap. There are going to be hundreds of vulnerables. MS
would be wasting time chasing any that are reported from outside, they have
to sort the body of the Vista unit out before they go running after each
vulnerable that gets reported in an advert, oops I mean in the press.



[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index