Why is Microsoft hell-bent on ruining its reputation?

Why is Microsoft hell-bent on ruining its reputation?

Summary: Microsoft had multiple chances to release a patch for the ANI (Animated Cursor) Exploit in the months of January, February, and March but failed to release any patches for the vulnerability that was originally disclosed privately to Microsoft on December 20, 2006. Now we're getting an emergency patch today, one week before the regular patch cycle, and Microsoft seems to think that this is a success story on its "quick" response to this zero-day exploit.

SHARE:
TOPICS: Microsoft
82

Microsoft had multiple chances to release a patch for the ANI (Animated Cursor) Exploit in the months of January, February, and March but failed to release any patches for the vulnerability that was originally disclosed privately to Microsoft on December 20, 2006. Now we're getting an emergency patch today, one week before the regular patch cycle, and Microsoft seems to think that this is a success story on its "quick" response to this zero-day exploit. Here's what an MSRC blog has to say:

"I’m sure one question in people’s minds is how we’re able to release an update for this issue so quickly"

Um, no not really; the question on my mind is why has it taken Microsoft three and a half months to patch a vulnerability that was disclosed to it in secret, wait until after the vulnerability was being exploited in the wild, wait until a third party came out with a third-party patch, and wait until after this became a public relations nightmare to come out with an out-of-band patch. This isn't the first time either. The last time Microsoft came out with an out-of-band patch was the WMF exploit, and that was under the same circumstances with massive negative press. But if it's just little old me complaining about Microsoft not patching a zero-day Internet Explorer flaw until the next scheduled cycle, it just falls upon deaf ears.

What's even more frustrating is that DEP (Data Execution Prevention) in Windows XP SP2 or Vista, when enforced with hardware NX/XD support, will stop this exploit. (I verified this in the lab.) But Microsoft won't turn it on for all applications by default, nor will it even mention it in its advisory. Almost all new PCs within the last year have been sold with NX/XD capability, and it's a simple switch to turn it on in Windows XP and Vista. Yet most people have it defaulted to off for everything except a few critical applications and services. There are only a few applications that are incompatible with DEP, and there are workarounds for them. The problem is that Microsoft doesn't want to deal with the technical support when those applications break, though the amount of breakage is far less than Vista UAC. The only applications I ran into with DEP incompatibility were Skype (though they fixed it in four days after I brought it up) and Microsoft Live Meeting (still not sure if they fixed it). But if Microsoft made DEP all-on the default setting in Windows Vista, more application vendors would be forced to fix their applications to use secure coding practices. I recommend to anyone who's reading this to go ahead and use DEP protection using this hardware and DEP configuration guide.

This isn't the only example of Microsoft ignoring imminent zero-day threats. It has treated Office zero-day exploits in the same casual "we'll patch it when it's ready" manner. That prompted me to write "Is MS Office becoming a zero-day liability all year long?"  Back then, there were no Office 2007 vulnerabilities yet, and I figured Microsoft was just dragging its feet on older versions of Office (which is just as bad, since they're widely in use). But there was a zero-day exploit reported for Office 2007 on 2/27/2007, and Microsoft couldn't come up with a patch for 3/13/2007 to plug that hole, leaving it for at least another month. While there are some factors in Windows Vista that can mitigate some of the damage that can be done, we can't discount these vulnerabilities as extremely critical since user data is at risk of theft, deletion, or ransom though encryption, and Microsoft's users are massive targets.

The fact of the matter is that Microsoft has done a relatively good job auditing its code and keeping its exploit count to a minimum, but it seems hell-bent on perpetuating the perception that Microsoft is a joke when it comes to security. For example, there have been only four critical exploits for Windows Vista this year compared to Apple's 62 critical exploits in the same timeframe, but that doesn't really matter. Since Microsoft is the biggest target because of its market share, Microsoft users will get attacked first. It doesn't matter how much hard work Microsoft puts into the SDL (Security Development Lifecycle) and how successful SDL is if it won't patch its few remaining vulnerabilities in a timely matter. Microsoft's customers will still be victims of malware, and Microsoft's reputation will still be in the tank -- and frankly, it's mostly deserved if it won't take timely patches seriously.

Topic: Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

82 comments
Log in or register to join the discussion
  • Some explanations

    George said: [i]"... but they seem hell-bent on perpetuating the perception that Microsoft is a joke when it comes to security. "[/i]

    1. Microsoft simply doesn't care. Typical monopoly behaviour says that they can treat you like dirt and you'll still buy their products, or

    2. They *are* a joke when it comes to security, or

    3. A major reorganisation is needed The company has become so monolithic that work gets lost in the bureaucracy, or

    4. All of the above.


    Something needs to change.
    bportlock
    • Something needs to change alright

      Something needs to change alright, but you're not contributing anything.
      georgeou
      • You asked the question

        he provided some answers that have been known for years, i'm surprised you still don't believe them
        deaf_e_kate
      • You want something more specific?

        OK - break Microsoft into at least three separate pieces, preferably in different locations/buildings.

        Division one - Produces Windows. Nothing else.

        Division two - Applications. Nothing else.

        Division three - Test and evaluation. Nothing gets released until it passes this lot. They can even use external companies. They get paid to find failures and to test to destruction.

        Divisions one and two are allowed no interaction so that applications don't get mixed in with OS code. Total separation of OS and apps would improve the robustness of both, reduce development cycle time and reduce overlap of attack vectors.
        bportlock
        • That would place too level of a playing field.

          "Total separation of OS and apps would improve the robustness of both, reduce development cycle time and reduce overlap of attack vectors"

          In a sense this would place Microsoft Apps at risk of actually competing. We cannot and will not allow that. We are having enough trouble with pesky open formats at the moment and the last thing we need is more level playing fields.

          What really needs to be done is reduce the size of the target. Hopefully when we reach less that 50% market share our problems will be greatly reduced.
          Zoraster
        • Can you imagine

          just how much application code would be removed from Windows and thrust in the
          direction of the Apps team? [b]No[/b] integrated apps - heck, Windows would lose
          half its bloat - not a bad thing at all.
          Fred Fredrickson
        • That would suck as bad as Linux

          No thanks.
          No_Ax_to_Grind
          • Your two days late!

            April fools was two days ago, a perfect day for you.

            If Windows applications were not part of the OS, Microsoft could actually port them to any other platform, increasing their market share! Gee...What a thought!

            That;s why linux will always be around, long after Windows finishes dieing a slow death.

            Keep up the foolish comments, seems every day is April fools day every time you post.
            linux for me
          • Such a separation would also mean...

            ... that like Linux browsers, Windows would be less prone to attacks like the animated cursor and WMF fiasco.

            Cleaner code is better code. Mixing your OS and applications together to produce the software equivalent of a chocolate-chip cookie is never a good idea.
            bportlock
          • Good analogy - couldn't agree more

            There is something to be said with any OS that maintains security, simplicity and reliability. I have never owned a Mac but I have a great deal of respect for those that developed it. I like Windows but it has reached a point where I can no longer support it as the support is questionable as is the security and I see no point in mentioning reliability. Linux is far from perfect but it's more from the lack of vendor support with respect to hardware and software. If, ( a big supposition ), Linux had the same support as Windows there would be little doubt Microsoft would have a lot less supporters although I believe the support base is changing, however slowly.
            intrepi@...
          • The Mac

            I've owned Macs since 1987. Since going to OSX the apps became self-contained packages. The packages appear as a single icon in the applications folder. To uninstall just trash the icon. The only files left are the preference files (.plist) in the user's library folder, which amount to nothing more then a text file. I love this UNIX way of doing it, it keeps things simple and clean. I'm sure keeping the apps seperate from the OS has help in Apple's stability and security.
            observer1959
        • Wouldn't work.

          Companies have to get together to make sure the programs would work. The divisions would treat each other as preferred customer status. Besides they would get together again like ExxonMobil. The third company doing all the testing would do what for revenue? Why they would get paid to pass the other's code that they should be testing themselves in quality control instead of having a 3rd company do it. You just made loosely federated divisions with this clusterf*ck. Better to keep an eye on one entity from a legal viewpoint.

          I have a better idea. Have some competition that is in it for the long haul that uses business practices that have worked in the past. Let this competition develop an ecosystem independent of MS so that neither one depends on the other for existence. They could make things compatible but it would not matter.
          osreinstall
        • The judge wanted to

          This was the resolution set forth by the anti-trust trial judge, but because he made comments outside the courtroom, the appellate court overturned the resolution ruling. Had the judge made the same comment inside the courtroom, microswipe would have already been three separate companies that would have been legally prohibited from keeping secrets amongst themselves.
          JJQ1000
          • I never said it was an *original* solution

            [i]"This was the resolution set forth by the anti-trust trial judge, ..."[/i]

            But it would seriously help Windows' stability and maintenance.
            bportlock
      • Hi

        He did contribbute something... before you decide what to change you have to analyse whats failing!

        Timbo
        TheBoyBailey
  • Still Blogging at the Airport?

    This entry has a few grammar issues.

    "three and a half month"

    "Microsoft won't turn it all for all applications by default"

    I know there are a couple more, but I need to get away from the boards and get to work. Take care.
    nucrash
    • Ou is not a journalist!

      He's a world-class Troll pretending to be a journalist
      An_Axe_to_Grind
      • Try and say something worthwhile

        If all you have to say is negative commentary, why bother ? Any idiot can post this kind of nonsense. If you don't like what he has to say, don't read it but don't assume your opinion is worth anything more than your post, worthless.
        intrepi@...
        • Nitpicking

          To the nitpickers: I suggest concentrating on the content of what's being expressed and the ideas or hypotheses put forth, not the grammatical minutiae. If it was a published book or English assessment test, it'd be a different matter. But being that this is a simple, daily tech blog, why do you consider these tiny grammar or spelling errors so critical? Snipes like this amount to nitpicking, since you're losing sight of the bigger picture by micro-analyzing the smaller one. Try write a full fledged thought-track daily and see how "picture perfect" your English is, especially when time is a constant, pressing consideration. The results might come back to surprise you - if you're human.

          But yes yes, life would be simpler and much more complete if we all could employ a proof-reader on call.
          klumper
          • I at least allowed him an excuse

            Though I was harsh, you notice that I only picked up on a couple of lines that could have been misinterpreted.

            No big deal. I did fail my senior English class. However, as I continued with my life, I did learn the importance of my communication skills.
            nucrash