In a move that is best described as wayyyyyyyyyyy overdue, Microsoft says it plans to scour its code to look for flaws similar to the recent serious Windows bug (see last week's blog) and to update its development practices to prevent similar problems in future products. So why did this move take so long?
According to Microsoft, the flaw in the method that Windows Meta File (WMF) images are handled is different than any security vulnerability the software maker has dealt with in the past. Typical flaws are unforeseen gaps in programs that hackers can take advantage of and run code. By contrast, according to Microsoft, the WMF problem lies in a software feature being used in an unintended way.
In response to the new threat, the software company is pledging to take a look at its programs, old and new, to avoid similar side effects. For a company the size of Microsoft, this new initiative should have been done years ago.
To its credit, Microsoft has been working for four years to improve its security posture, beginning with its Trustworthy Computing Initiative, launched in 2002. But, one analyst said the WMF problem is not a good advertisement for Microsoft's security efforts as the legacy issue seemingly went undetected. Another analyst says, "This should have been caught and eliminated years ago. They overlooked image format files, and that is where this WMF issue came in."
Microsoft now faces a race with cybercriminals, who are likely on the prowl for the same bugs. And guess what? The bad guys are winning.
Just days after rushing out an emergency fix to counter a rash security attacks using the WMF flaw, security researchers claim there are at least two new flaws in the way the Windows graphics rendering engine handles WMF images. The issue can be used to run a denial-of-service attack, but there are fears that other kinds of attacks may be possible if the exploit is modified.
Microsoft says they have already identified the issues as part of its ongoing code maintenance and is evaluating them for inclusion in the next service pack for the affected products. The new flaws affect fully patched versions of Windows 2000, Windows XP (Service Pack 2 included) and Windows Server 2003.
Microsoft is such a huge company in terms of its size, its financial position, and its control of the huge computing market. They were warned many, many years ago that their coding methodology would lead to all kinds of problems in the future, but they chose to proceed irregardless. And it is all of us who suffer. I am frankly sick of it.
No comments:
Post a Comment