more security stuff and a shout out to ZDNet
most of you who follow this blog know that I’ve recommended articles by Ed Bott on ZDNet from time-to-time in the past and would recommend his blog as a good source of technical and other info on Windows. In fact, I would encourage you to read his blog on 6/18 around the launch of the “Morro” beta, aka Microsoft Security Essentials if you aren’t already familiar with that.
But this post isn’t really about Ed or Morro, but about a couple of other posts on the ZDNet that I ran across lately.
Besides Ed, one of the other bloggers that I think puts out some good stuff is Ryan Naraine, who does a security focused blog, also on ZDNet.
Here’s the three posts I wanted to highlight. The titles should be self-explanatory.
Microsoft patches 31 Windows, IE, Office security holes,
Apple Safari jumbo patch: 50+ vulnerabilities fixed,
Adobe patches 13 critical Reader, Acrobat vulnerabilities
As you should also remember, I recently did another post on “Security by obscurity…” where I highlighted the results of this year’s PWN2OWN event, where once again the Apple products proved to be much easier to exploit than the Microsoft ones. But mostly it was supposed to be about reminding you that Microsoft, in recent years, has made a deep commitment to security and that this should give you confidence in this aspect of our software. What got my attention about these 3 was that even though there were 31 vulnerabilities fixed by Microsoft, they ran across a gamut of products from AD (2) to Print Spooler (3) to Works, including IE (8). So here comes a Safari update with 50+ fixes for vulnerabilities on a single product, some rated extremely critical – WOW. It was interesting to read a few of the “talkback's” and see how some MAC folks are still in denial that their platform is not the bulletproof bastion they have always thought it to be. One of the questions that crossed my mind, and why this was interesting to me in my context of security by obscurity, is not so much that Safari had so many holes, but that it would appear that Apple doesn’t feel the need to release these patches until so many have built up including some extremely critical ones. It all goes back to the point I was hoping to make in the security by obscurity post, I’m hoping that you understand and can articulate the platform value proposition around the Microsoft commitment and approach to security.
Another point of interest to me was the third post around the Adobe patches. Here’s an excerpt from Ryan’s blog: “Adobe has issued its first ever scheduled quarterly update for its Reader/Acrobat product line, a mega-patch covering 13 documented security vulnerabilities. The patches address “critical vulnerabilities” in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. “These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system,” Adobe warned in an advisory. The company also acknowledged it has silently fixed several security problems that are not being publicly documented.” If you followed the PWN2OWN, you know that Adobe products have historically been used as exploit gateways, and now, finally, Adobe had deemed it worthwhile to issue “scheduled quarterly updates”. But as with Apple, the main point here is to show you indicators of how little priority security seems to have at some of the leading software companies and to point out, in contrast, how Microsoft’s embracing of the SDL (Secure Development Lifecycle, part of the Trustworthy Computing Initiative) should be something that you should make sure your customers understand is an advantage of the Microsoft platform that you are providing and supporting for them.