08.02.09
Microsoft Makes Third Parties Less Secure
Summary: Self-explanatory set of news reports
• Adobe patches 12 Flash bugs, 3 caused by Microsoft [Warning: IDG]
Adobe also took care of three vulnerabilities within Flash that were the result of the company’s developers using a buggy Microsoft code “library” when they built the program. On Wednesday, Adobe confirmed that it had used Microsoft’s flawed development code — specifically the Active Template Library (ATL), a code library included with Visual Studio — to create both Flash Player and Shockwave Player. The latter was patched that same day.
• Adobe confirms Flash contains Microsoft dev code bug
Adobe stepped forward yesterday to acknowledge that it’s the first major third-party vendor to have used Microsoft’s flawed development code in its products.
• Adobe Bugs Linked to Microsoft ATL Flaw [Note: Even the Microsoft-bent press admits this]
When Adobe Systems Inc. announced that it would periodically have Patch Tuesday releases of its own to coincide with Microsoft’s monthly patch rollout, it became clear that Windows plays a vital role in the third-party software firm’s security repertoire. That role became even more apparent with the security advisory Adobe released late Thursday.
• Microsoft Vulnerability Underscores Importance of Strong SDL
Sometimes it’s the little things. According to Microsoft, one of the bugs in the Active Template Library was the result of a typo.
twitter said,
August 2, 2009 at 8:36 pm
People should remember stories like this when M$ casts blame for system crashes onto their “partners.” NVidia took this kind of punishment in 2008. How many of these problems, on closer examination, can be blamed on M$ SDKs?
The larger lesson is that non free software development methodology is inherently flawed. Stable APIs, owned by responsible parties, might sound like a good idea but the same thing with freedom is always better.
Yuhong Bao said,
August 2, 2009 at 11:50 pm
“How many of these problems, on closer examination, can be blamed on M$ SDKs?”
Well, and the opposite can happen too. If you are debugging a crash dump with WinDbg and something that starts with nt! is at the top, does it always mean that MS to blame?
But this case is different, and one of the things I like to point out here is that the LGPL requires that the library be patchable regardless of whether it is linked to proprietary or open source software.
Yuhong Bao said,
August 3, 2009 at 10:51 pm
“one of the things I like to point out here is that the LGPL requires that the library be patchable regardless of whether it is linked to proprietary or open source software. ”
This means that you can patch a LGPL library without waiting for the vendor to relink the application with the patched library, which is handy especially for security patches. It won’t help in the ATL case as properly fixing the security problem requires changes to the application’s source code, but most of the time it will.