Microsoft Makes Third Parties Less Secure

Dr. Roy Schestowitz

2009-08-02 21:51:28 UTC
Modified: 2009-08-02 21:51:28 UTC

Summary: Self-explanatory set of news reports

● Adobe patches 12 Flash bugs, 3 caused by Microsoft [Warning: IDG]

Adobe also took care of three vulnerabilities within Flash that were the result of the company's developers using a buggy Microsoft code "library" when they built the program. On Wednesday, Adobe confirmed that it had used Microsoft's flawed development code -- specifically the Active Template Library (ATL), a code library included with Visual Studio -- to create both Flash Player and Shockwave Player. The latter was patched that same day.

● Adobe confirms Flash contains Microsoft dev code bug

Adobe stepped forward yesterday to acknowledge that it's the first major third-party vendor to have used Microsoft's flawed development code in its products.

● Adobe Bugs Linked to Microsoft ATL Flaw [Note: Even the Microsoft-bent press admits this]

When Adobe Systems Inc. announced that it would periodically have Patch Tuesday releases of its own to coincide with Microsoft's monthly patch rollout, it became clear that Windows plays a vital role in the third-party software firm's security repertoire. That role became even more apparent with the security advisory Adobe released late Thursday.

● Microsoft Vulnerability Underscores Importance of Strong SDL

Sometimes it's the little things. According to Microsoft, one of the bugs in the Active Template Library was the result of a typo.

Comments

Yuhong Bao

2009-08-03 04:50:21

"How many of these problems, on closer examination, can be blamed on M$ SDKs?" Well, and the opposite can happen too. If you are debugging a crash dump with WinDbg and something that starts with nt! is at the top, does it always mean that MS to blame? But this case is different, and one of the things I like to point out here is that the LGPL requires that the library be patchable regardless of whether it is linked to proprietary or open source software.
twitter

2009-08-03 01:36:39

People should remember stories like this when M$ casts blame for system crashes onto their "partners." NVidia took this kind of punishment in 2008. How many of these problems, on closer examination, can be blamed on M$ SDKs?

The larger lesson is that non free software development methodology is inherently flawed. Stable APIs, owned by responsible parties, might sound like a good idea but the same thing with freedom is always better.
Yuhong Bao

2009-08-04 03:51:13

"one of the things I like to point out here is that the LGPL requires that the library be patchable regardless of whether it is linked to proprietary or open source software. " This means that you can patch a LGPL library without waiting for the vendor to relink the application with the patched library, which is handy especially for security patches. It won't help in the ATL case as properly fixing the security problem requires changes to the application's source code, but most of the time it will.

Microsoft Makes Third Parties Less Secure

Comments

Recent Techrights' Posts