Re: MSIE src&name property disclosure

[Gadi Evron <ge () linuxbox org>]

Dave Aitel wrote:

> This is another reason why studies comparing Microsoft's security to 
Open Source security are always bizzare. They compare the entire set of 
Linux vulnerabilities to a tiny subset of the bugs Microsoft knows 
about, but pretends other people don't. WINS is a classic example.

Actually, I personally have nothing against MS. They succeeded where 
many failed. Good for them!

Their bad attitude and bloody competitive nature can hardly be blamed in 
the world they compete in... and their corporate culture.. it's their 
own problem.

So where do I blame them? I blame them in how they treat me;

- They have released vague and mind-boggling advisories (where do I
  start?).
- They don't advertise most of their security issues (remember defcon a
  couple of years back with the CoDC and their "we already use that
  computer name?" issue? MS refused to give credit because "they were
  already aware of the issue").
- They hide security patches inside other patches (so much that the best
  way to find Windows vulnerabilities is to do reversing on their
  patches).
- They pre-patch products and for that reason hold on patches until such
  products are out (XP SP2).
- They insist on dealing with trouble by either ignoring it or killing
  it by applying a band-aid (I'll give only one example: winnuke and
  closing the port).

And don't even get me started on "viruses" (all the way back through 
macro viruses and beyond).

I don't envy, hate or mock Microsoft. I actually appreciate what they 
have accomplished. I have a serious issue with their way of doing 
business with non-competition - the way they treat me as a security 
professional.

All the above, is naturally, only my personal opinion. I may have some 
of the details not 100% accurate, but I stand by the spirit of the words.

I tried and start a good-natured FACTUAL discussion on the subject in 
the past - but all the kiddies always jump up and yell. In this case, 
even some of my best friends enter the yelling criteria.

Oh.. and any idea why MS keeps adding caches on caches on caches to 
solve problems? It turns me crazy.
Which reminds me of a similar discussion on a list I own a bit back. 
Someone asked why IE keeps checking a certain Windows game - it was 
turning him crazy. So the Managing Director of a big 
disassembler/debugger company offered to make it a "surprise discount" 
on the order forms if someone wrote the name of the game there.
It was hilarious. :o)

That's the best you will see out of me on religion. I decide to comment 
on such issues about twice a year.

    Gadi Evron.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html