Monday, January 02, 2006

Third Party Windows wmf Exploit Patch Made Available

Ilfak Guilfanov (the author of the patch) may be a nice guy, a capable programmer, and perhaps even a local hero. I'm not certain if I would install a patch into an OS that didn't come from the OS vendor. Of course, as of the time of this post, there is none, millions of computers are exposed, and aye, that's the rub.

This is different from 1980-1995, where the OS was relatively simple, DOS didn't have memory management or disk management (such as defrag) capabilities, and third party manufacturers such as Quarterdeck and Central Point (RIP) provided same. Indeed if a system file became corrupt, one could always reinstall pieces of or the entire operating system, quickly and painlessly, without necessity for 'net connection or authentication. Keep a copy of one's latest config.sys or autoxec.bat, even your command.com or win.ini files, and a simple copy over usually fixed most problems.

At that time, there were no high expectations that DOS was meant to really work without ever crashing, and most security problems arose from inserting infected floppy disks from friends, children, or employees with both. Certainly also at that time the expectation was that there could be no liability for such unstable platforms, because *everyone* knew that they were unstable, and used them nonetheless.

And so, for the early years of DOS, I label using these early OS's as an assumption of risk. MS has had twenty years of Wwindows and DOS programming experience to get security right, and I think that an "assumption of risk" approach is no longer applicable. On the other side of the argument, is there now some sort of "mitigation of risk" approach that might be used as (1) a shield when MS claims that the use of an authorized patch insulates it from liability, or "voids" any warranties or reps or (2) as a sword when attempting to obtain equitable relief? This is not like the situation where HP will disclaim a warranty when one uses a non-HP printer cartridge in an HP product. The product tend to work in the first instance, and third party products are provided as a cost saving measure only.

The problem with the operating system is now is that the problem *is* the operating system. All the PR, "trustworthy computing" articles, "crisis rooms" and "scientists" and "visions of the future" won't ameliorate that problem unless real, constructive action is taken. I find it discomfiting that a garage-level programming operation (no disrespect intended) has issued a patch for a critical flaw before MS can get its arms around it sufficient to provide its paying customers with secure and trusted (I consider the term "trustworthy" a semantic nullity) computing systems.

What's old is new again.

The link to the SANS Internet Storm Center article: http://isc.sans.org/diary.php?storyid=996

S

No comments: