Search This Blog

Microsoft Software Defects


Microsoft’s monthly batch of security patches, for June 2012, include critical fixes for security holes in a wide range of Microsoft applications.

Seven security bulletins address twenty-eight documented vulnerabilities in Microsoft Windows, Internet Explorer, Visual Basic for Applications, Dynamics AX, and the .NET Framework. Three of the 7 bulletins are rated “critical”, especially with regard to the reliability of .Net.  The bulletin addresses flaws that could lead to remote code execution attacks with little or no user interaction. Four bulletins will carry an “important” rating and deal with vulnerabilities that could be exploited in code execution and privilege corruption.

Microsoft also released an emergency fix to block “active attacks” that use unauthorized digital certificates from the Microsoft Certificate Authority. This can lead to sophisticated man-in-the-middle attacks as part of the Flame malware, which has suspected links to sophisticated attackers.

SUMMARY
The highly distributed Microsoft software has created an industry dominant vulnerability surface for its offerings because.  Update of software must ultimately take place in millions of location after the announcement about the defects is announced.

Individual software packages, such as Windows, Visual Basic etc. manage software reliability through the largely centralized project teams at Microsoft HQ, which is time-consuming. The diversity of code, the large number of options, a persistent compulsion for maintaining upward compatibility and the organizational separation between hardware testing and implementation increased the number of defects. Once a software fix is identified, tested and then distributed it may take an additional indefinite amount of time before it can be actually installed as a protective measure.

In contrast, centrally managed software architecture and vendor distributed software can instantly update millions of devices and thousands of servers. There is no major gap in the time between the discovery of a “bug” and when it can be installed. With increased dependency by malware actors to take advantage of zero-day defects, the advantages of cloud-based software maintenance surpass methods currently deployed by Microsoft for maintaining software integrity.    

No comments:

Post a Comment

For comments please e-mail paul@strassmann.com