[Update: here's a recent case (20040731)]
Also, a manager of "Microsofts security business and technology unit" (who knew they actually had one - their products bear no evidence that such an effort exists) boldly claims that We have never had vulnerabilities exploited before the patch was known.
When spin gets that thick it feels a little as if the world is turning into a television court room drama. A place where all sanity ends, where the truth is completely irrelevant and the only thing that counts is to utter your unfounded self serving opinions strongly and with great conviction.
To its credit Microsoft itself provides security bulletins proving the statement false. This bulletin contains the following statement
What are the new security vulnerabilities addressed by the patch?
There are a grand total of five newly discovered vulnerabilities:
[...]
What’s the scope of the first vulnerability?
The first vulnerability is a denial of service vulnerability [...] The vulnerability is being actively exploited by the “Code Red” worm, and this has been widely, although incorrectly, reported as being due to a flaw in the patch provided in Microsoft Security Bulletin MS01-033. In fact, this is a completely different and previously unknown vulnerability.
I.e. as the patch was made available it was correcting a flaw that was already being actively exploited.
Then of course there is the much bigger issue of a generally unsafe architecture like the many security problems with HTML email and with ActiveX in browsers as well as scripting in Office applications. These features make virus writing so simple that literally any kid can do it. I have always felt that there was a distinct mismatch between the simplicity of virus writing and the harsh demonization of virus writers - the carelessness that makes virus writing so simple should be factored into the equation also.
Posted by Claus at February 27, 2004 03:01 AM | TrackBack (0)