[Full-disclosure] Steve Gibson smokes crack?
stan.bubrouski at gmail.com
Fri Jan 13 21:40:05 GMT 2006
I wasn't agreeing its a conspiracy I was just saying they knew about
this being serious for a while and did nothing about until it went
public for whatever reason.
On 1/13/06, bkfsec <bkfsec at sdf.lonestar.org> wrote:
> Stan Bubrouski wrote:
> >Ordinarily I'd argue, but its hard to when we find out Microsoft knew
> >about the bug for a long time and made a concious decision not to
> >patch it even though they knew it could lead to a system compromise.
> >People commented on how Microsoft put out a patch quicker than they
> >usually would but this is NOT THE CASE. According to Microsoft
> >itself, they knew about the bug months before it was reported in
> >December. Don't give credit where its not earned...
> I'm going to try to walk the line here. I loath defending Microsoft,
> and I'm not defending them for their historical conduct, but I still
> can't see conspiracy theories being accurate yet.
> A few incidents ("NSA" backdoor) aside, Microsoft's history with
> security has been one of ineptness, not "maliciousness" per-se. This is
> their history going back to before they purchased IE, and something that
> became really evident when they first began rebuilding Mosaic. The WMF
> bug is in line with their development methodology up until (and in some
> ways including) recently. Microsoft's development mantra was, for a
> long time, ease of use at the expense of everything else. When NT came
> out and Microsoft moved from producing OS' that were not network ready
> out of the box and toy-like GUI infrastructures, the impacts of that
> strategy were transposed onto administrators and users (now more
> vulnerable than ever) alike.
> Ease of use became Ease of administration, and that became Ease of
> development. Netscape and Sun was threatening Microsoft's monopolistic
> paradigm with a new platform for application development that was easily
> cross-platform and as a result, IE had to become an even more robust
> method of distributing application and administration capabilities.
> We now see the fallout of that decision. The web browser was never
> meant to be an application subsystem - it was meant to interpret text
> documents into more visual documents organized in a linked fashion. It
> was never meant to run code on systems, but that's what it's become.
> The act of making that easier attracted every simpleton web developer
> who couldn't hack it anywhere else. Administrators saw ActiveX as a way
> to remotely administrate PCs they couldn't get to in any other way.
> These were mistakes... big mistakes from a security standpoint. But
> security was second to attracting new fresh bodies who could fill the
> seats and drone on endlessly about how awesome Microsoft was.
> And this pattern is what I see here -- ineptness in the interests of
> It's one thing to say that they sat on the knowledge that this was
> exploitable. It's another thing entirely to claim that they knowingly
> made it for the point of exploiting PCs if ActiveX was disabled.
> Given their history and the hallmarks of this flaw, I have a hard time
> making that leap.
Full-Disclosure is hosted and sponsored by Secunia.