14 DAY TRIAL // There is a MasterCard commercial. I think you've seen it, so you'll probably know what I'm getting at, but if you haven't here goes a remake. Just use your imagination.
The set is a desk near a window. Outside you can see your average Windows background. Blue sky, hills, maybe a field full of African daisies. Hmm? African daisies, now where oh where have I seen those flowers? I really can't put my finger on it, but never mind. On the desk, the camera first focuses on a Wireless Entertainment Desktop 8000 and the price appears next to it - $249.95.
Next, the camera moves back and you can see the desktop of a Windows Vista Ultimate edition, and the price $399. Then comes the XPS 710 system - $2,500. Well, you get the idea. And then, the catch! A message fades in? "Microsoft patching Zero-days before exploit code is available? before PoC is published? priceless?"
Well not actually priceless. In fact, let's put a price on that. Let's put a price on Microsoft patching security vulnerabilities across its software products before they ever become Zero-days; before exploits; before remote arbitrary code execution.
A Microsoft security guru said recently that developers would never find all code-level security bugs. Microsoft is no exception to this rule. In fact, the Redmond Company's vulnerability history just comes to confirm this conclusion. But, once a piece of code is out the door and widely deployed by the public, vulnerabilities start popping out like blooming African daisies.
And the truth is that all statistics focus on the aftermath, and evaluate the damages associated with successful exploits. But if attack vectors are the source of all problems, and if Microsoft cannot extirpate the vulnerabilities at their root, could they buy them instead? Why not! The Redmond Company throws money at every other thing. Others have done just that. Some still are.
The real question here is not why is Microsoft not getting involved into the commerce with vulnerabilities. The real question is WHEN will Microsoft get involved?
Let me present two cases in point. In mid December, Trend Micro's chief technology officer, Raimund Genes revealed that in the underground commerce with software vulnerabilities, a Zero-day Windows Vista critical flaw was going for $50,000.
And in January 2007, VeriSign's iDefense Labs debuted the Quarterly Vulnerability Challenge offering between $8,000 and $12,000 for a fully functional Windows Vista or Internet Explorer 7 vulnerability that allows for remote arbitrary code execution.
When is Microsoft going to get in on this? When is Microsoft going to debut the Windows Vulnerability Marketplace? Or the Windows Live Vulnerability Marketplace if the initiative should be placed under the Windows Live brand umbrella.
According to a count by McAfee, in 2006 alone, Microsoft accounted for over 133 critical and important vulnerabilities across its software products. Remember when I was saying that I was going to put a price on Microsoft patched Zero-days? Well? 133 vulnerabilities at $50,000 a pop? $6,650,000. Let me make this as clear as possible. $6,650,000 is not even pocket change to Microsoft. Windows Vista is a $6 billion dollar operating system, the best $6 billion Bill Gates has ever spent. Get the drift?
So? $6,650,000 for Microsoft? priceless for the users.