[nycbug-talk] MS moves on. . .
G.Rosamond
george
Thu May 20 10:16:12 EDT 2004
MS has been talking this for a while now. . .but here's some
documentation. . .picked these up off an Undeadly.org reply. . .
http://www.microsoft.com/uk/windowsserversystem/exchange/product-
information/features-at-a-glance/security.mspx
And here's another . . .
http://www.alchemistowl.org/arrigo/images/RSA2003-Microsoft-Arrigo-
small.jpg
IMO, I do think MS has made some progress, relative to where they were
in the past, but they have a long way to go. An install of Server 2k3
is a bit leap from NT 4.0, there's no question. They've still got a
long way to go, as I'm getting the impression there's not much more to
the "Secure by Default" advertising campaign than an advertising
campaign.
2K3 Server, for example, does give the admin a simple gui to determine
the role of the server, ie, file, print, dns, etc. And Internet
Explorer is filled with warnings and so on when you attempt to browse
in the default setup. It's very likely this is all just window
dressing.
However, one thing Theo mentioned in his Exploit Mitigation Techniques
talk was about OBSD's use of canaries to avoid buffer overflows.
Apparently, MS is doing the same, although their placement of canaries
does nothing. It would be good if someone could elaborate on the role
of canaries. . .
Interestingly enough, it was the only anti-MS comment I heard the
entire weekend at BSDCan. . .
g
More information about the talk
mailing list