[Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?



[I have given this some thought, edited my argument, and am moving this
message to its own thread.]

Microsoft has put a lot into securing its code, and is very good at
doing so. However, is it doing enough?

My main argument is about the policy of handling vulnerabilities for 6
months without patching (such as the Google attacks 0day apparently was)
and the policy of waiting a whole month before patching this very same
vulnerability when it first became an in-the-wild 0day exploit (it has
now been patched, ahead of schedule).

Microsoft is the main proponent of responsible disclosure, and has shown
it is a responsible vendor. Also, patching vulnerabilities is far from
easy, and Microsoft has done a tremendous job at getting it done. I
simply call on it to stay responsible and amend its faulty and dangerous
policies. A whole month as the default response to patching a 0day? Really?

With their practical monopoly, and the resulting monoculture, perhaps
their policies ought to be examined for regulation as critical
infrastructure, if they can't bring themselves to be more responsible on
their own.

This is the first time in a long while that I find it fit to criticize
Microsoft on security. Perhaps they have grown complacent with the PR
nightmare of full disclosure a decade behind them, with most
vulnerabilities now "sold" to them directly or indirectly by the
security industry.

Gadi.


--
Gadi Evron,
ge@xxxxxxxxxxxxx

Blog: http://gevron.livejournal.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Security and EOL issues
    ... A belief that a good company, if Microsoft were one, would provide ... regulations governing what the automobile industry must do. ... older software's security would be just fine. ... > Computer Emergency Response Teams, ...
    (Security-Basics)
  • Re: [Full-Disclosure] New MyDoom exploiting IFRAME
    ... I never had strong feelings about Microsoft; I took their side on several ... customers - and yet, they fail to act. ... security response capabilities are *very* inadequate at best - they should ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] MSIE src&name property disclosure
    ... >>In response to statements found at ... > "Microsoft has begun to investigate the Iframe vulnerability and has not ... security consulting companies, follows a wide range of policies. ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] MSIE src&name property disclosure
    ... >>In response to statements found at ... > "Microsoft has begun to investigate the Iframe vulnerability and has not ... security consulting companies, follows a wide range of policies. ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] MSIE src&name property disclosure
    ... >>In response to statements found at ... > "Microsoft has begun to investigate the Iframe vulnerability and has not ... security consulting companies, follows a wide range of policies. ...
    (Bugtraq)