A lot of heat has been put on the security of Vista and other Microsoft software products.
However, Microsoft has a software security architecture which they use and also have the advantage of not being dependent on third party proprietary software in their core operating system, desktop and Back Office products.
With all the criticism of Microsoft, I say people who live in glass houses should not throw rocks.
Most IT security startups take short cuts and don't bother with software security assessment of their own product. They license proprietary closed-source components for their products and they dont publish CVSS (Common Vulernability Scoring System Scores).
I am personally familiar with the extrusion prevention space - a denses, highly-competitive group of vendors that develop products that monitor outgoing content from a network.
It is public knowledge that Stellar, Tablus, Port Authority, Vontu, Proofpoint (and others) all use the Verity Key View SDK to decode content. Thats how they all amazingly enough, have the same number of content decoders in their press releases. They somehow manage to imply that this is part of their core IP but in fact it is not.
More importantly, these products (which are supposed to mitigate the risk of insider theft and insider stupidity) are vulnerable because of the vulnerabilities they inherit from their licensed software. Being closed-source products themselves, it is a no-brainer that none of these vendors have submitted their source code to third-party testing, defect reduction and software security improvement.
As reported earlier this year, the Verity KeyView Filter SDK contains a flaw that allows a remote attacker to delete arbitrary files. The issue is due to 'kvarcve.dll' not properly checking the filenames of compressed files in ZIP, UUE, and TAR archives for traversal style attacks (../../) when generating their previews.
According to the Secunia Web site an upgrade is required as there are no known workarounds.
Next time a salesperson from one of these vendors calls you, ask her some simple questions:
1) How many of their customers have unpatched and vulnerable products?
2) How do they handle patch distribution and management in the field of a proprietary third-party product where a) the patch needs to be available and b) the vendor needs to make sure all users have received and installed the patch.
3)What additional vulnerabilities were introduced because of the programming interfaces to the Verity KeyView Filter SDK?
4) Are these and other vulnerabilties documented with CVSS on the vendor Web site? (Like Skype and Symantec...)
