Re: Steve Gibson smokes crack?

[bkfsec <bkfsec () sdf lonestar org>]

Stan Bubrouski wrote:

> Ordinarily I'd argue, but its hard to when we find out Microsoft knew
> about the bug for a long time and made a concious decision not to
> patch it even though they knew it could lead to a system compromise.
>
> People commented on how Microsoft put out a patch quicker than they
> usually would but this is NOT THE CASE.  According to Microsoft
> itself, they knew about the bug months before it was reported in
> December.  Don't give credit where its not earned...
>
>  
I'm going to try to walk the line here.  I loath defending Microsoft, 
and I'm not defending them for their historical conduct, but I still 
can't see conspiracy theories being accurate yet.

A few incidents ("NSA" backdoor) aside, Microsoft's history with 
security has been one of ineptness, not "maliciousness" per-se.  This is 
their history going back to before they purchased IE, and something that 
became really evident when they first began rebuilding Mosaic.  The WMF 
bug is in line with their development methodology up until (and in some 
ways including) recently.  Microsoft's development mantra was, for a 
long time, ease of use at the expense of everything else.  When NT came 
out and Microsoft moved from producing OS' that were not network ready 
out of the box and toy-like GUI infrastructures, the impacts of that 
strategy were transposed onto administrators and users (now more 
vulnerable than ever) alike. 

Ease of use became Ease of administration, and that became Ease of 
development.  Netscape and Sun was threatening Microsoft's monopolistic 
paradigm with a new platform for application development that was easily 
cross-platform and as a result, IE had to become an even more robust 
method of distributing application and administration capabilities. 

We now see the fallout of that decision.  The web browser was never 
meant to be an application subsystem - it was meant to interpret text 
documents into more visual documents organized in a linked fashion.  It 
was never meant to run code on systems, but that's what it's become.  
The act of making that easier attracted every simpleton web developer 
who couldn't hack it anywhere else.  Administrators saw ActiveX as a way 
to remotely administrate PCs they couldn't get to in any other way.  
These were mistakes... big mistakes from a security standpoint.  But 
security was second to attracting new fresh bodies who could fill the 
seats and drone on endlessly about how awesome Microsoft was.

And this pattern is what I see here -- ineptness in the interests of 
feature-creep.

It's one thing to say that they sat on the knowledge that this was 
exploitable.  It's another thing entirely to claim that they knowingly 
made it for the point of exploiting PCs if ActiveX was disabled.

Given their history and the hallmarks of this flaw, I have a hard time 
making that leap.

            -bkfsec


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/