Foresight?

If Tyranny and Oppression come to this land, it will be in the guise of fighting a foreign enemy
James Madison (American 4th US President (1809-17), and one of the founding fathers of his country. 1751-1836)

Tuesday, April 3, 2007

eEye patches Vista animated cursor flaw, much to Microsoft's dislike.

Some of you may have heard about the animated cursor flaw in Vista...which in the wrong hands can leave your machine in a crashing-restart loop. If not, here ya go...more info on the "Animated Cursor Flaw" brought to you by Betanews and the official release by Microsoft on the matter here "Microsoft Security Advisory (935423)/
Vulnerability in Windows Animated Cursor Handling
". Now that we are up to date on the problem...here is more info on the eEye fix for the ANI vulnerability and for the record...here is the link to the patch(scroll to the bottom part of the page for the download)! Alternately...eEye has also added the patch or fix for this vulnerability in their Blink Security Software. These patches by eEye have left Microsoft in a precarious position...which ultimately is...saying they don't recommend using these 3rd party patches.

Now that we have all that googly doo out of the way...this whole issue has brought up an interesting possibility in the whole "Responsible Disclosure" debate and overall issue between security firms and software companies. Now the main problem between the two is how long do you wait until you publicly disclose a vulnerability after it has been discovered and reported to the devoloper or company. Also, there is the issue of how do you reimburse these flaw finders in an attempt to keep flaws from being traded or sold on the undernet, however that is a whole other issue. Now...on to my point...what is really keeping these security firms, other developers, or Joe Good from making their own patches for these flaws? Thus circumventing any wait, which can be exceedingly long, and closing the door on such flaws. The length of time between when a flaw is disclosed and when it is ultimately fixed is the big issue...when it can take some patches months, if not years to come to fruition. IMO...good for eEye for doing this...as it has apparently gotten Microsoft off their ass to get this done ASAP. Funny how one companies good deed has spurred another company to actually do the right thing and fix something quickly.

- "3rd Party Patches Critical Windows Flaw" @ Betanews
- "Microsoft to Fix Critical Vista Flaw Early" @ Betanews
- "Microsoft knew of Windows .ANI flaw since December 2006" @ ZDNET BLOGS

No comments: