Blog de Matias Katz Hablamos un poco de seguridad?

2 tough punches for Microsoft, in 1 week

We all know about it. It's everywhere. There's no need to further explain too much, since every information portal (whether an IT one or not) has already published in the last couple of days about the 2 big news regarding the world of Microsoft and security.

Issue 1 - Microsoft configmed a 17 year-old vulnerability:

The company from Redmond confirmed on January 20th that there's a vulnerability in their operating system Kernel, that goes back to Windows NT 3.51, which was built in 1993. Although the vulnerability itself is not a big thing, the fact that it has been present for almost 2 deacades, is.

Microsoft has already shown us its dark side regarding this kind of issues a few months ago, with the potential Blue Screen to Vista and 7 due to a failure in the SMB v2 protocol issue. However, the company's ambition is unconditional, these people tries to constantly improve everything, including themselves, bringing us with worse news. Not just because this vulnerability is older, but because apparently (citation needed) Microsoft knew about this since June 2009.

We're all humans, that's correct. But spending 17 years without discovering a vulnerability and not doing anything when somebody from outside tips you off, its simply outraegous.

More Information: ZDNet (English)

Issue 2 - Operation Aurora, Hydraq, Google Hack, China Hack, IE Hack and 1000 more names:

A group of chinese hackers get into Google and cause uncountable damages of historic magnitude. Google is going crazy, talking about removing their branch in the country; meanwhile, other big firms start to fall under the same attack (Adobe, Juniper, and others).

Turns out to be a 0-day vulnerability in Internet Explorer which allowed the chinese guys to make the attack. The world panics because the exposition is inevitable, massive broadcast notifications arise asking people not to use IE for a while, or to raise the security level to "high", knowing (or innocently not knowing) that accomplishing that on the common user is practically impossible.

Microsoft tucks its sleeves and promises to have an out-of-band emergency patch ASAP. And they get it done, publishing the MS10-002 newsletter, on January 21st. Everything goes back to normal, the DEFCON level lowers again and all administrators are crazy patching the computers.

To sum up, you could say that this is a tie for Microsoft. Even though a good action does not cover a bad one, I must say that when the oven is burning, the guys from MS did a very good job.

To read the details of the matter, please follow the links below. The thruth is that I didn't see the purpose of repeating the same that thousands of other sites have already notified, I just sticked to giving my opinion about it.

More Information: ZDNet (English) - Cristian Linacre's Blog (Spanish) - ESET Latinoamérica's Blog (Spanish)