by , 6:30 PM EST, February 10th, 2004
It's been quite a while since we've heard our friends in Redmond warn us of a critical flaw in any of its software (over a week, in fact!), so it's about time. According to an article at ZDNet, Microsoft has issued a patch for Windows NT, Windows 2000, Windows XP, and Windows Server 2003 that fixes a major flaw in the operating systems' networking system. The flaw was reported to Microsoft over six months ago, according to eEye, a security solutions provider, and the folks there are none too happy about it. From ZDNet:
On Tuesday, the software giant released a fix for a networking flaw that affects every computer running Windows NT, Windows 2000, Windows XP or Windows Server 2003. If left unpatched, the security hole could allow a worm to spread quickly throughout the Internet, causing an incident similar to the MSBlast attack last summer.
[...]
The latest flaw exists in Microsoft's implementation of a basic networking protocol known as Abstract Syntax Notation One, or ASN.1. The code is shared by many Windows applications, and if left unpatched, it causes each program that uses the code to be an entry point into the operating system for an attacker.
[...]
eEye's Maiffret was critical of Microsoft for taking so long to issue the patch. "Two hundred days to fix this," Maiffret said. "It is obviously ridiculous."
Microsoft's Toulouse said the fix took so long to create because of the difficulties posed by such a pervasive technology.
You can read the full article at ZDNet's Web site.
Further, it would have been nice if Microsoft would have had more than six months to work on the problem. Any other operating system provider surely couldn't have had a fix for in less than a week!
Sarcasm aside, it's good that Microsoft released this patch at all, severely late or not. Now, if only the company would put as much effort into quashing bugs as it does in forcing its way into new markets, preventing competition, locking people into its insecure, buggy platform, convincing governments and corporations of the world to not consider better solutions, and squeezing every last dollar out of people who don't know any better or can't help it, the company might be able to put out a decent operating system and suite of software once in a while.
Of course, that's just wishful thinking. Microsoft is making money hand over fist releasing shoddy software (on the Windows side), and most people don't even think twice. Hooray for monopolies.
Oops, there's that sarcasm sneaking in again.
We'll try to end this on a more professional note and point out that eEye's reaction to the delay in releasing this patch is a big part of why many security people don't work with Microsoft in the first place. White Hat hackers used to routinely report bugs to Microsoft, which would then do little or nothing about them. This led to the security pros simply announcing flaws they had found immediately, or after a deadline they would offer Big Redmond.
After the Department of Homeland Security began applying pressure, and public resentment of Windows' shoddy security record began to mount, Microsoft did an about face and started addressing these problems far more quickly.
Or so it seemed: 200 days is an awfully long time, and will no doubt leave many in the security world a bit exasperated.
In the meanwhile, we'll enjoy our Macs.