Security Incidents mailing list archives

Re: Releasing patches is bad for security

From: Valdis.Kletnieks () vt edu
Date: Mon, 01 Mar 2004 12:28:07 -0500

On Sat, 28 Feb 2004 14:48:37 EST, Joe Miller <joseph-p-miller () cox net>  said:

I would hope MS has hundreds of the brightest software engineers specifically
focused on finding security flaws in all of their software.  They should also
hire third party security engineers to do the same until all security holes are
discovered, code rewrites planned, designed and deployed before the company
chokes to death on it's own mistakes. They certainly have enough liquid assets
to do so.


What bottom-line profit motive is there for Microsoft to do so?

Remember that a corporation's fiduciary responsibility is to *the bottom line*,
not to their customers(*).  There's no reason for Microsoft to spend $100M or
whatever on security, unless there's reasonable expectation of a payback on the
bottom line.  In fact, spending $100M *without* any expectation of payback is
likely to get you the target of a shareholder lawsuit.

(*) If you don't believe me, read their EULA - they disclaim all responsibility
for their code quality, and have somewhere near zero obligation to you as a
customer. If you want to get rid of your current Microsoft account rep, ask him
about indemnification from them, and watch them die laughing....

They also have enough cash to then hire the brightest security and software
engineers to develop OS's and Applications while incorporating security specs,
reasonable care and due diligence. Developing the security controls with the OS
and applications is the only way Microsoft will survive as a software company
of the future.


Well, *now* they're spending the money, because they can find a business case
for doing so - "If we don't do something, users will bail out to open-source
solutions that aren't hacked into on a daily basis".

The problem now is that security isn't something you can bolt on after the
fact, and a *lot* of the WinXP code is legacy code from Win/NT (proven by the
number of exploits that work clear across NT to XP, often with the same offsets
even).

Attachment: _bin
Description:

Current thread:

RE: Releasing patches is bad for security Mike Barushok (Mar 01)
- <Possible follow-ups>
- Re: Releasing patches is bad for security Valdis . Kletnieks (Mar 01)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 02)
  - RE: Releasing patches is bad for security Jerry Shenk (Mar 02)
  - Re: Releasing patches is bad for security Valdis . Kletnieks (Mar 03)
- RE: Releasing patches is bad for security Davis, Kyle (Mar 02)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 03)
- RE: Releasing patches is bad for security James P. Saveker (Mar 03)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 03)
  - Dead Thread: Releasing patches is bad for security Dan Hanson (Mar 03)