Does Redmond have a secret death-wish?
According to blogger George Ou, Redmond had multiple chances to release a patch for the ANI (Animated Cursor) Exploit in the months of January, February, and March but failed to release any patches for the vulnerability that was originally disclosed privately to Microsoft on December 20, 2006. Now we're getting an emergency patch today, one week before the regular patch cycle, and Microsoft seems to think that this is a success story on its "quick" response to this zero-day exploit. Here's what an MSRC blog has to say:
"I’m sure one question in people’s minds is how we’re able to release an update for this issue so quickly"
Um, no not really; the question on my mind is why has it taken Microsoft three and a half months to patch a vulnerability that was disclosed to it in secret, wait until after the vulnerability was being exploited in the wild, wait until a third party came out with a third-party patch, and wait until after this became a public relations nightmare to come out with an out-of-band patch. This isn't the first time either. The last time Microsoft came out with an out-of-band patch was the WMF exploit, and that was under the same circumstances with massive negative press. But if it's just little old me complaining about Microsoft not patching a zero-day Internet Explorer flaw until the next scheduled cycle, it just falls upon deaf ears.
What's even more frustrating is that DEP (Data Execution Prevention) in Windows XP SP2 or Vista, when enforced with hardware NX/XD support, will stop this exploit. (I verified this in the lab.) But Microsoft won't turn it on for all applications by default, nor will it even mention it in its advisory. Almost all new PCs within the last year have been sold with NX/XD capability, and it's a simple switch to turn it on in Windows XP and Vista. Yet most people have it defaulted to off for everything except a few critical applications and services.
There are only a few applications that are incompatible with DEP, and there are workarounds for them. The problem is that Microsoft doesn't want to deal with the technical support when those applications break, though the amount of breakage is far less than Vista UAC. The only applications I ran into with DEP incompatibility were Skype (though they fixed it in four days after I brought it up) and Microsoft Live Meeting (still not sure if they fixed it). But if Microsoft made DEP all-on the default setting in Windows Vista, more application vendors would be forced to fix their applications to use secure coding practices. I recommend to anyone who's reading this to go ahead and use DEP protection using this hardware and DEP configuration guide.
This isn't the only example..
Want to see more? Copy this to your browser and check it out ….
http://blogs.zdnet.com/Ou/?p=460
0 Comments:
Post a Comment
<< Home