Re: [Full-disclosure] Steve Gibson smokes crack?

[Stan Bubrouski <stan.bubrouski@xxxxxxxxx>]

I wasn't agreeing its a conspiracy I was just saying they knew about
this being serious for a while and did nothing about until it went
public for whatever reason.

-sb

On 1/13/06, bkfsec <bkfsec@xxxxxxxxxxxxxxxx> wrote:
> Stan Bubrouski wrote:
>
> >Ordinarily I'd argue, but its hard to when we find out Microsoft knew
> >about the bug for a long time and made a concious decision not to
> >patch it even though they knew it could lead to a system compromise.
> >
> >People commented on how Microsoft put out a patch quicker than they
> >usually would but this is NOT THE CASE.  According to Microsoft
> >itself, they knew about the bug months before it was reported in
> >December.  Don't give credit where its not earned...
> >
> >
> >
> I'm going to try to walk the line here.  I loath defending Microsoft,
> and I'm not defending them for their historical conduct, but I still
> can't see conspiracy theories being accurate yet.
>
> A few incidents ("NSA" backdoor) aside, Microsoft's history with
> security has been one of ineptness, not "maliciousness" per-se.  This is
> their history going back to before they purchased IE, and something that
> became really evident when they first began rebuilding Mosaic.  The WMF
> bug is in line with their development methodology up until (and in some
> ways including) recently.  Microsoft's development mantra was, for a
> long time, ease of use at the expense of everything else.  When NT came
> out and Microsoft moved from producing OS' that were not network ready
> out of the box and toy-like GUI infrastructures, the impacts of that
> strategy were transposed onto administrators and users (now more
> vulnerable than ever) alike.
>
> Ease of use became Ease of administration, and that became Ease of
> development.  Netscape and Sun was threatening Microsoft's monopolistic
> paradigm with a new platform for application development that was easily
> cross-platform and as a result, IE had to become an even more robust
> method of distributing application and administration capabilities.
>
> We now see the fallout of that decision.  The web browser was never
> meant to be an application subsystem - it was meant to interpret text
> documents into more visual documents organized in a linked fashion.  It
> was never meant to run code on systems, but that's what it's become.
> The act of making that easier attracted every simpleton web developer
> who couldn't hack it anywhere else.  Administrators saw ActiveX as a way
> to remotely administrate PCs they couldn't get to in any other way.
> These were mistakes... big mistakes from a security standpoint.  But
> security was second to attracting new fresh bodies who could fill the
> seats and drone on endlessly about how awesome Microsoft was.
>
> And this pattern is what I see here -- ineptness in the interests of
> feature-creep.
>
> It's one thing to say that they sat on the knowledge that this was
> exploitable.  It's another thing entirely to claim that they knowingly
> made it for the point of exploiting PCs if ActiveX was disabled.
>
> Given their history and the hallmarks of this flaw, I have a hard time
> making that leap.
>
>              -bkfsec
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/