blogs.msdn.com/brianjo

Brian Johnson's Startup Developer Blog

Security Chat November 18th

Security Chat November 18th

  • Comments 6

Update: I'm taking this off the security feed so the new one shows up on the Security Developer Center home page.

Update: Chat is over. Lots of good info from Mike and great questions. I'll post a link to the transcript when I get it.

Update: This chat is starting now. Go here to enter the chat room.

The next Mike Nash Security Chat is Thursday, November 18th at 9:00 AM (PST). These chats take place monthly and they provide an excellent chance to mix with the security experts at Microsoft. We really had a good time with the last chat, and I would encourage everyone interested in security to attend. Here's a link and a description:

Security in Microsoft Products
Join Mike Nash, Vice President for the Microsoft Security Business Unit, and his team of security experts each month. Microsoft is working hard to improve security and Mike and his team invite you to join them in a candid Q&A session. Ask us your tough questions; share with us what is going well and what needs improvement. This is your chance to talk up front with the leading security minds at Microsoft.
Click here to add the chat to your Outlook calendar. This page links to past chat transcripts.
Comments
  • > Microsoft is working hard to improve security

    For a while I was even persuaded to believe that, but yesterday Microsoft showed how foolish I was.

    On 2004.10.24, Internet Explorer demonstrated a bug, saying that a secure web site (https) had a certificate that had already expired or whose period of validity had not yet begun. IE showed the certificate's period of validity, 2003.12.29 to 2004.12.29. The clock applet in the taskbar of Windows XP SP2 agreed with that day's newspaper that the date was 2004.10.24, so IE and/or Windows really didn't know how to sort dates.

    On 2004.11.15 I finally realized that this was a security flaw. When IE and/or Windows XP SP2 can't sort dates, what will they do when presented with a security certificate that really has expired or whose period of validity really hasn't begun yet? Odds are that IE will silently accept the certificate, with no hint to the user that the session is proceeding with an invalid certificate. So I reported the security flaw to Microsoft.

    Microsoft can't reproduce it. So Microsoft directed me to PSS. Right, I'm supposed to believe that if I pay Microsoft for a support incident then Microsoft will teach Microsoft how to reproduce a security flaw? Pardon me while I doubt this.

    Actually I have a feeling that a possible, partial reason for Microsoft's inability to reproduce the bug is that Microsoft sometimes tests its English language products and fixes bugs in them, and then only retests its English language products when trying to reproduce a bug, even though the bug actually remains in the rest of Microsoft's products. This hunch is compounded by the replies I got from Microsoft. When quoting IE's error message in Japanese, Microsoft set their e-mail encoding to Western European, so all of the Japanese text was converted to strings of question marks. I suggested to Microsoft to set their e-mail encoding to either JIS or Unicode when quoting Japanese text, but it seems that Microsoft didn't understand it.

    Or possibly this is the reason why Microsoft told me to go to PSS? If I pay Microsoft for a support incident then Microsoft will teach Microsoft how to set their e-mail encoding when quoting flaw-revealing inaccurate error messages that were displayed by Microsoft products? Pardon me while I doubt this too.

    Security? No, Microsoft still doesn't get it.
  • Reproduced it yesterday, re-reported it yesterday, and received no reply yet this time (though it's only been about 12 hours).
  • Microsoft has answered, so I'll post the results. Although the certificate of the end user (the web site) was valid, an intermediate certificate had indeed expired. Internet Explorer displayed a combination of erroneous information and correct information about the end user's certificate, but Internet Explorer did so because it had correctly diagnosed a problem with the intermediate certificate, even though it didn't display that information.

    This bug makes it indeed a product support issue rather than a security issue, so I'm supposed to pay Microsoft a fee in order to report it. I didn't do that so I think the issue is closed.
Page 1 of 1 (3 items)