Re: Security a work in progress for Microsoft

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>

: http://news.com.com/2100-7355-5141765.html
:
: By Robert Lemos
: Staff Writer, CNET News.com
: January 15, 2004
:
: Two years after Chairman Bill Gates called on Microsoft to redouble
: its efforts to secure its software, the company is beginning to make
: progress, according to customers--but much work remains.

: Six months after the release of the Windows 2000 operating system,
: Microsoft had warned of system flaws in 32 security advisories; 21
: vulnerabilities were gauged to be critical. Yet six months after
: Microsoft released Windows Server 2003, the successor to Windows 2000,
: after extensive code reviews, the number of flaws had shrunk to 14, with
: only 6 critical issues.
:
: "Customers are better off today than they were a year ago, and they will
: be even better off in the future," said Kevin Kean, a group manager at
: Microsoft's Security Response Center.

Windows security patches are now released once a month.

Microsoft has a long history of silenty fixing major security flaws in
patches. We update to protect against A, B and C that made news. That
same update protects us from X, Y and Z that were just as dangerous,
but escaped attention.

The numbers (32/21 vs 14/6) mean absolutely nothing.

: Microsoft does make patches available more quickly than in previous
: years, said Mitchell Rubin, president of Lynx Consulting Group in

Why do I think this quote came before Microsoft opted to move to a
once-a-month patch model?

: Rather than releasing advisories every two or three weeks, the company
: now publishes the notifications once a month. It has also turned up the
: pressure on the underground programmers that create worms and viruses by
: offering a bounty on the people or groups who released the Sobig.F virus
: and the MSBlast worm.

.. a bounty that has yielded 0 arrests? 0 virus writer captures? 0
payouts?

: Moreover, some of the bug finders that have been the bane of Microsoft's
: public image for years are starting to take a softer stance toward the
: company, encouraged by greater cooperation from the company's security
: groups.
:
: "They are acting more responsibly," said Thor Larholm, a senior security
: researcher for security firm PivX Solutions and a frequent finder of
: bugs in Microsoft's products. "The have lived up to the spirit of
: Trustworthy Computing, even if they still have problems."

http://www.pivx.com/clients.html

GMAC || BOEING || Microsoft || University of California

I like Mr. Larholm and really appreciate the work he and PivX have
done in the past, but how can anyone take these comments seriously
when Microsoft pays them?



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.