Security Incidents mailing list archives
Re: Releasing patches is bad for security
From: Valdis.Kletnieks () vt edu
Date: Mon, 01 Mar 2004 12:28:07 -0500
On Sat, 28 Feb 2004 14:48:37 EST, Joe Miller <joseph-p-miller () cox net> said:
I would hope MS has hundreds of the brightest software engineers specifically focused on finding security flaws in all of their software. They should also hire third party security engineers to do the same until all security holes are discovered, code rewrites planned, designed and deployed before the company chokes to death on it's own mistakes. They certainly have enough liquid assets to do so.
What bottom-line profit motive is there for Microsoft to do so? Remember that a corporation's fiduciary responsibility is to *the bottom line*, not to their customers(*). There's no reason for Microsoft to spend $100M or whatever on security, unless there's reasonable expectation of a payback on the bottom line. In fact, spending $100M *without* any expectation of payback is likely to get you the target of a shareholder lawsuit. (*) If you don't believe me, read their EULA - they disclaim all responsibility for their code quality, and have somewhere near zero obligation to you as a customer. If you want to get rid of your current Microsoft account rep, ask him about indemnification from them, and watch them die laughing....
They also have enough cash to then hire the brightest security and software engineers to develop OS's and Applications while incorporating security specs, reasonable care and due diligence. Developing the security controls with the OS and applications is the only way Microsoft will survive as a software company of the future.
Well, *now* they're spending the money, because they can find a business case for doing so - "If we don't do something, users will bail out to open-source solutions that aren't hacked into on a daily basis". The problem now is that security isn't something you can bolt on after the fact, and a *lot* of the WinXP code is legacy code from Win/NT (proven by the number of exploits that work clear across NT to XP, often with the same offsets even).
Attachment:
_bin
Description:
Current thread:
- RE: Releasing patches is bad for security Mike Barushok (Mar 01)
- <Possible follow-ups>
- Re: Releasing patches is bad for security Valdis . Kletnieks (Mar 01)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 02)
- RE: Releasing patches is bad for security Jerry Shenk (Mar 02)
- Re: Releasing patches is bad for security Valdis . Kletnieks (Mar 03)
- RE: Releasing patches is bad for security Davis, Kyle (Mar 02)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 03)
- RE: Releasing patches is bad for security James P. Saveker (Mar 03)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 03)
- Dead Thread: Releasing patches is bad for security Dan Hanson (Mar 03)