A major security vulnerability in Microsoft’s Windows operating system has security experts concerned about widespread attacks even though Microsoft has issued a patch for the problem — this time a security vulnerability in the widely used Abstract Syntax Notation (ASN.1) protocol. Microsoft, which rated the vulnerability critical, said that by exploiting an unchecked buffer in the Microsoft ASN.1 Library, an attacker could gain complete control of a computer and take action that includes installing programs; viewing, changing or deleting data; or creating new user accounts with administrative privileges.
It's time to bring up the past Microsoft. I remember a few months ago Steve Balmer bashing open source by saying Open Source patches are slower to be released and more unreliable than Microsoft's. Guess what, OpenSSL had a very similar vulnerbility some months back. That was fixed within a couple of days. And it was fixed properly. So which is it Balmer? Security through obscurity has never worked. You know about a buffer overflow of all things for over six months and you don't fix it? All you do is hide it? That is sheer incompetitence. . IIRC isn't Microsoft supposed to be well into the 2nd year of the secured computing initive. In that time period we've seen the worst security on their part in the history of Microsoft. We've seen their patching system go from awful to worse. We've seen them pay off security researchers to not look for new vulns(Thor Larholm). We've seen them sit on openly known exploits for months. We've seen them suggest work arounds for known exploits such as "don't click links on websites". We've seen them put bounties on the heads of people who exploit their crappy software (rather than putting the money into fixing problems). We've seen worms that take down most windows machines in less than 10 minutes. Now, we've seen them cover up a vulnerbility of over a half a year leaving everyone vulnerable. . If that's your version of secured computing Microsoft, you've got a lot to learn. The irony of it all is they have the gaul to attack others regarding security. Every piece of software has mistakes in it. What sets Microsoft apart from every software vendor, open and closed source, is their refusal to fix mistakes, while accussing others of bad security.
Loading ...
Microsoft Patches New Vulnerability, Worm Expected
Posted by: Jay Lyman February 11, 2004 10:15 AMA major security vulnerability in Microsoft’s Windows operating system has security experts concerned about widespread attacks even though Microsoft has issued a patch for the problem — this time a security vulnerability in the widely used Abstract Syntax Notation (ASN.1) protocol. Microsoft, which rated the vulnerability critical, said that by exploiting an unchecked buffer in the Microsoft ASN.1 Library, an attacker could gain complete control of a computer and take action that includes installing programs; viewing, changing or deleting data; or creating new user accounts with administrative privileges.
.
IIRC isn't Microsoft supposed to be well into the 2nd year of the secured computing initive. In that time period we've seen the worst security on their part in the history of Microsoft. We've seen their patching system go from awful to worse. We've seen them pay off security researchers to not look for new vulns(Thor Larholm). We've seen them sit on openly known exploits for months. We've seen them suggest work arounds for known exploits such as "don't click links on websites". We've seen them put bounties on the heads of people who exploit their crappy software (rather than putting the money into fixing problems). We've seen worms that take down most windows machines in less than 10 minutes. Now, we've seen them cover up a vulnerbility of over a half a year leaving everyone vulnerable.
.
If that's your version of secured computing Microsoft, you've got a lot to learn. The irony of it all is they have the gaul to attack others regarding security. Every piece of software has mistakes in it. What sets Microsoft apart from every software vendor, open and closed source, is their refusal to fix mistakes, while accussing others of bad security.