Passions about Microsoft's product security tend to run hot. Despite the gains Microsoft's made in promoting more secure software, a majority of security practitioners appear to still believe current results fall well short when it comes to the software giant's OS and applications software security.
That sentiment, extracted from a recent minipoll, may provide the type of fuel to reheat the security research community's ongoing full-disclosure debate.
Several weeks ago Chinese researcher Liu Die Yu posted several Internet Explorer flaws to the Full-Disclosure security mailing list. His reasoning: Microsoft hasn't given him credit for prior vulnerabilities he reported.
That rationale doesn't sit well with some security practitioners.
"I believe that protecting other's assets should come before our ego," said Justin G. Francis, a security administrator at an entertainment retailer. He suggests that individuals who find flaws take other steps to prove that they were first in uncovering a flaw.
Other reasons researchers have given for similar announcements include fear of prosecution and excessively long delays in the patch creation process. Many have cited full, public disclosure as a necessary component to get vendors to solve a security problem.
"Perhaps all of these flaws should be sent to the vendor and to the Department of Homeland Security," said Richard Guaraldo, director of information security for an East Coast public relations firm. "DHS should then have some system to see that they are dealt with swiftly and efficiently by the software vendor. Perhaps there should also be a list indicating the date of discovery of a flaw, but not describing the nature of the flaw, thereby not accelerating exploitation. The flaw could even be given an ID number."
"The goal is to expose the problem and put the vendor on notice that it needs to be fixed ASAP, without unnecessarily publishing the details of the problem," added Guaraldo. "The response of providing a fix to the flaw ID number signifies the problem has been corrected."
Whatever individual feelings on disclosure, a recent Security Wire Perspectives minipoll reveals that 60% of our readers who responded don't think Microsoft is doing enough to address OS and application patch management issues. Nearly 70% don't believe Microsoft is doing enough to improve its software security.
Of more than 450 respondents, 55% say Microsoft's security hasn't changed since it launched its Trustworthy Computing initiative in 2002.
In 2003, Microsoft created a centralized patch site, began issuing its patches monthly instead of weekly and reduced its patch size. However, 64% think its recent patching process initiatives will save time, but don't address the root of the security problem.
Microsoft couldn't comment as of press time.