In many recent interviews Microsoft has vowed their firm commitment to security all the wile demonstrating the exact opposite.
Case in point: On December 28th US-CERT issued security advisory VU#181038 pertaining to all versions of Microsoft operating systems. This is a 0-day vulnerability.
We all know that US-CERT generally issues advisories (at least) a few days after the initial discovery. In this case the vulnerability and corresponding incidents where first discovered on December 27th according to McAfee.
Upon examining the Microsoft security bulletin 912840 associated with this vulnerability you will notice that it was Published December 28th. The same day as the US-CERT announcement and one day after its initial discovery. A serious vulnerability that effects ALL versions of the number one most used operating system in the world, and they wait a day to even post an advisory on their web site?
Even this isn’t what bothers me the most. What really got me was when I visited Microsoft.com trying t to find more information. At current they have a giant flash animation (it takes up about 75% of the page) that contains a sun flower set against the recognizable windows “blue sky, green grass” backdrop wearing sunglasses with the heading “start having fun”. So this vulnerability isn’t being displayed prominently. Lets look closer at the front page and see if we can find a link to information on this vulnerability. Look all you want, its not there. No mention on the home page at all.
So lets click on security. Its sure to be listed there. Once again, look all you like. You won’t find it.
No patch exists, it results in a remote code execution on a fully patched Windows XP, 2003 server, etc and Microsoft makes no mention of it on both their home page and their security page.
I think its time Microsoft stop jawing about this commitment to security and start demonstrating it.
