Brian Valentine, a MS Senior VP in charge of Windows development team said
"I'm not proud," Valentine said, as he spoke to a crowd of developers here at the company's Windows .Net Server developer conference. "We really haven't done everything we could to protect our customers … Our products just aren't engineered for security."
Even worse, Microsoft is clueless to the techniques used in recent attacks against Win2K.
"As of August 2002, the PSS [Product Support Services] Security Team has not been able to determine the technique that is being used to gain access to the computer," the company wrote in its security bulletin posted on August 30.
So Microsoft is a Clueless Swiss Cheese. One spot of good news is that Microsoft finally raised the severity rating of recent SSL Cert vulnerability to critical and released a patch, a patch that everyone should install ASAP.
I have recently issued an advisory to 3D-Secure (aka VbV) implementors to protect against this vulnerability by hashing the 3D-Secure PIN before submitting it to the issuer. Yup, supposed security of SSL made sending password in plaintext seem reasonable. Complacency is not just a bug, but a queen bug.