funsec mailing list archives
Re: Third-party application developers and the WMF flaw
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 17 Jan 2006 11:13:19 +0200
Richard M. Smith wrote:
Hi, Since Microsoft has known about the WMF flaw for many years, I wonder what kind of efforts, if any, Microsoft has made to notify third-party application developers of the problem and offer work-arounds. If no efforts were made, why not? Are there other security issues in the Windows operating system that need the attention of application developers thatMicrosoft is not informing developers about?Richard M. Smith http://www.ComputerBytesMan.com
I'll try and answer... naturally, these are only speculations:Microsoft is a big corporation with completely different smaller "companies" inside of it. Imagine (as in fiction) the VP in charge of the development of Internet Explorer knowing of this vulnerability.
To fix it he needs the cooperation of a completely different department, as well as pass through bureaucracy. Further, he needs to possibly convince people to/of:
- Mess with legacy code written years ago, that currently works.- Explain a security issue to people who don't really understand what the fuss is all about. - Explain why a feature, put in there by design, was a vulnerability and has to be removed while it so far has been fine, and removing it might just break stuff.
So, in my fiction, he just creates a work-around.If I was to be a bit more on the paranoid side, I might have said Microsoft didn't want to mess with this. They have enough problems on their hands and look at the above three reasons already provided. So.. they entered it into their secret "security issues to work around in your products" database. :)
As to why this wasn't fix in later versions of products, etc. Maybe it was just something one developer came across, filed, and got lost in paperwork? Maybe it was a mistake? Maybe there knowledge management regarding security wasn't that amazing with Microsoft?
Putting fiction aside, we could be reading too much into what the guy from Microsoft said. Maybe they simple used a different technology and now make PR use of that to help a messy situation?
Whatever the reason was... we are beyond Microsoft bashing on it now. Now... we are on to waiting `till the next time it is unfortunately necessary -- which should be just around the corner.
I really believe Microsoft came a long way since just a few years ago, but they still seem to treat the security community as a "necessary evil" to work with, as well as a PR problem. As long as that doesn't change, I won't expect much from them regardless of efforts made.
Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Current thread:
- Third-party application developers and the WMF flaw Richard M. Smith (Jan 16)
- Message not available
- Fwd: Third-party application developers and the WMF flaw Col (Jan 16)
- Re: Third-party application developers and the WMF flaw TheGesus (Jan 16)
- Re: Fwd: Third-party application developers and the WMF flaw Florian Weimer (Jan 17)
- Re: Fwd: Third-party application developers and the WMF flaw Col (Jan 18)
- Fwd: Third-party application developers and the WMF flaw Col (Jan 16)
- Message not available
- Re: Third-party application developers and the WMF flaw Gadi Evron (Jan 17)
- Infecting OEM Images Larry Seltzer (Jan 19)
- RE: Infecting OEM Images Richard M. Smith (Jan 19)
- Re: Infecting OEM Images Pierre Vandevenne (Jan 19)