[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Microsoft's Real Test with Vista is Vulnerabilities
- To: Brate Sanders <brate_sanders@xxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Microsoft's Real Test with Vista is Vulnerabilities
- From: Gadi Evron <ge@xxxxxxxxxxxx>
- Date: Tue, 27 Jun 2006 10:41:24 -0500 (CDT)
On Tue, 27 Jun 2006, Brate Sanders wrote:
>
> Honestly, do you believe MS would care too much about security in Windows or
> their applications? If they did, would they come out with the One Live
> subscription based solution to protect against their design/implementation
> vulnerabilities? Once One Live subscription becomes more wide spread you can
> expect press releases like, if you are using One Live this vulnerability will
> not affect you. If not we are working on a solution for your problem, which
> may be available in your next monthly patch cycle.
>
> Microsoft has tried multiple times in the past to come out with a
> subscription model for Windows, which has failed every time. So now they have
> another oppurtunity to get into the subscription based model. They may even
> give away Windows OS for free and just charge you for the OneLive solution,
> since it is a better business model any way you consider it.
>
> So if they can earn more from the subscription based security solution where
> is the incentive to make the OS more secure? Eventually they are a
> corporation aimed at maximizing their shareholder value.
>
> Brate Sanders
I am far from a Microsoft marketing expert... but what you say is
interesting.
>
>
>
>
> ----- Original Message ----
> From: Gadi Evron <ge@xxxxxxxxxxxx>
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Cc: funsec@xxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
> Sent: Tuesday, 27 June, 2006 5:15:20 PM
> Subject: [Full-disclosure] Microsoft's Real Test with Vista is Vulnerabilities
>
> Vista, the solution to all our problems: Microsoft portrays Vista as
> anything from the end of software vulnerabilities to the end of spyware.
>
> In my opinion, that is irrelevant as both problems are not going to go
> away. They are part of how software systems and the Internet work, and
> that's that. The Bad Guys with their ROI won't give up that easily.
> What is going to happen though is that creating and exploiting these would
> become more difficult.
>
> *Vista is not the Holy Grail or some "silver bullet". It is a test for
> Microsoft. It will be a clear indication of how far Microsoft has advanced
> in the realm of developing secure software, if at all*.
>
> How so...?
>
> In the past I posted claims that stated Microsoft has advanced
> considerably in recent years, and today, it has become very difficult
> to find vulnerabilities in Microsoft products. Naturally this doesn't
> apply to Internet Explorer. :)
>
> Their code is very professional and heavily reviewed. Unless you spend
> significant resources and time on the task, you are not likely to find
> even Denial of Service vulnerabilities, not to mention Code Execution
> vulnerabilities in their code.
>
> When you do find one, the vulnerability will most likely be a logical
> flaw. Microsoft has no problem committing incredible resources to code
> review.
>
> However, we need to take into account the Excel case:
> Last December Noam wrote of eBay bids on an Excel 0day vulnerability,
> which later on were also announced on the Full-disclosure mailing list.
> The issue of bidding for exploits on eBay lead to a heated discussion and
> many blog entries.
>
> In the coming months after that, Microsoft announced in it's monthly
> security patches release (Patch Tuesday a.k.a. Black Tuesday) several
> Excel vulnerabilities.
>
> In this last month, it happened again.
>
> Then the first (but not last!) of the Excel 0days was disclosed. Here is
> what Juha had to say about it.
>
> What does this mean, and how does this work with what every decent reverse
> engineer will tell you: Microsoft's code is very professional.
>
> The answer is divided into two:
> 1. QA.
> 2. Untouched code-base.
>
> Microsoft is basically using legacy code that has been reviewed and
> attacked countless times by countless people since Windows NT if not, in
> some cases Windows 3.1 (gdi32.dll anyone?).
>
> Is it any wonder new vulnerabilities are so difficult to come by? Everyone
> in the industry has been trying for, at the very least, over a decade. We
> can't tell if their code is that good due to their ability.
>
> Excel on the other hand is code-base which didn't in the past receive that
> same kind of scrutiny very often. When the kiddie on Full-disclosure and
> eBay issued his challenge, what happened was that many people started
> aiming at Excel.
>
> Much like it often happens with vendor advisories with little to no details,
> new
> vulnerabilities were found other than the one the kiddie (whoever or
> whatever he really was) supposedly found.
>
> Several patch releases with official bullet-ins, several 0days... fun,
> ain't it? Not related you say? Maybe.
>
> So.. yes. Microsoft's code is very professional, but we can't really rank
> their ability on it due to the immense efforts by everyone outside of
> Microsoft to do their QA for them.
>
> When Vista comes out, regardless of all the cute security features it will
> have. some of which will raise the bar for security researchers, it
> *WILL* have vulnerabilities.. and not too long after the release.
>
> The amount of vulnerabilities and their complexity will tell us more of
> Microsoft's real ability with security today, than anything else.
>
> Microsoft can claim Vista is the Holy Grail all they like, and indeed,
> some of these security features are intriguing... in my opinion though,
> the real question is what Vista will show us:
> 1. It's a new untested code-base out for play.
> 2. Microsoft supposedly learned a thing or two since Windows 95.
>
> Your guess is as good as mine and the results of this test will be very
> telling.
>
> Gadi Evron.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/