Tuesday, February 10, 2004

Another Critical Microsoft Hole

Today Microsoft announced their Security Updates for February 2004. Security consultancy eEye told Microsoft about one of the flaws, called MS04-007 by Microsoft, six months ago. The vulnerability affects code using Microsoft's ASN.1 library (MSASN1.DLL).

The OpenSSL team reported a vulnerability and fix for ASN problems in September 2003. The Slashdot thread makes good points about how Microsoft claims to fix errors faster and better than open source software. The following was published by The Register last October to recount an interview with Bill Gates at the TechNet/MSDN seminar in The Hague:

"Microsoft is making progress. The company writes more secure code, essentially because of tools that show where problems might occur. It is also fixing problems much faster than it used to. Gates: 'We've gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average.'"

Who is Microsoft kidding?

I'm appalled by Microsoft's security record. My next commercial system will not run Windows; none of my infrastructure devices run Windows now. When we decide to buy a new system with a commercial OS, it's going to be a Mac.

If you think this announcement is the end, check out eEye's pipeline. They've got better future prospects than Big Pharma, with seven more advisories on deck. They told Microsoft about four of them over two months ago, and still we're waiting for patches. I'm sure the underground isn't waiting.

You can read centralized information on this vulnerability at the US-CERT. From what I understand the US-CERT is taking an operational security role, dealing with the public and so on. The CERT is transitioning to more of a research role, providing serious technical expertise but stepping out of operational duties.