Let see the Security Now Guys did claimed that one security patch that Microsoft send out in responded to evil doers using a so call fault in metafiles could not had been a program error by Microsoft but instead look like a backdoor that others found and therefore needed to closed by them. See GRC web site for more details.
I don't need to, I am very familiar with this case and the claims that it's a backdoor are just plain idiotic. I've argued this directly with Steve Gibson himself somewhere on the internet (I'm thinking it was slashdot?) Just examine the facts.
It was an exploit that works like this: in image metadata you could put abort processing code for images that didn't load quickly. This was not a bug, it was a feature. So yes it was intentional, but not it was not made to be a "backdoor", that makes no sense. First of all, in order to use it as a backdoor you'd need the user to visit a webpage with the malicious image or somehow get the user to view the image. This is a pretty crappy "backdoor", as you need social engineering to make it work.
They don't need to do that, your operating system already trusts them and their code and if they really wanted to backdoor you they could do it much more easily through methods that don't require user interaction.
Don't you think it makes more sense to make a backdoor that lets you in without having to ring the bell? Any paranoid fool (like Steve Gibson) can claim that any exploit in Windows is an intentional backdoor, and then do as he did and claim that it can't be proven either way because you can't prove the "intent" of Microsoft.
That's fine if you like to imagine conspiracy theories, but if this is a backdoor it was about the stupidest way they could do it. They have the ability to do it silently and without needing you to be tricked into a step in the process, don't you think if their intention was to put a backdoor there that risks their whole business they'd make a more simple and useful one that didn't require your participation?
You are going to decompile Microsoft's millions of lines of code?
No, but acquaintances of mine do, and the open source community does. Hell I'll even cherry pick and show an example from a group already mentioned in this thread: WINE.
WINE, Samba, ReactOS and almost any of those open source projects that have extensive interoperability with Windows decompile and look at Microsoft's code extensively. They do clean room reverse engineering in order to implement their own software that's compatible with the Windows API. Here's an example from ReactOS
, go through that thread and you'll see proof that a ReactOS developer decompiled Windows code and copied it, it's not mentioned in the thread but after that incident they had to take their code offline and audit it for parts copied wholesale from Windows.
Furthermore, you don't need to decompile the code to figure out if it has a backdoor. You can see whether it's phoning home through network monitoring, you can probe its ports to see if it's listening, and you can send it packets trying to find ways in.
The security industry does this all the time, and they have discovered flaws in RPC that they did not need to look at code to discover and that also granted root access to the machine. There are hundreds of thousands of people trying to crack Windows and they are poring over it. If there is a backdoor and it's ever used it wouldn't be long before the information is public.
The beta version of Window 7 was over a two G download and how many thousands of years would it take to try to understand the output of a decompiler on such an OS?
With hundreds of thousands of people doing it, it wouldn't take that long. Hundreds of thousands of people are probing Windows for vulnerabilities, some in the security industry and others in order to make money (do you realize how much money is spent finding ways to get control of Windows machines to use in botnets to send spam and launch hacking attacks?) but hey, ignore all that and think of one simple thing when you say it would take thousands of years: did it take Microsoft thousands of years to write it, test it and release it? No, so it's not going to take thousands of years to read.
And yes I do have some problems with software aim at the Microsoft platform as little of it is open source unlike Linux. Zone alarm firewall is said to have been sending some form of unknown encipher data by way of DNS packages behind their users back to their servers.
Zone Alarm is garbage and has nothing to do with Microsoft. There are plenty of malicous pieces of software developed for Linux as well and what others decide to do with the platform doesn't reflect on the platform itself.
This, to take an argument Google recently used to defend Google Earth, is like criticizing car makers because some people use cars to make car bombs.
Hell of a note to find that the very software that you had place on your system to protect it is itself sending some unknown type of information back home.
If you are using Zone Alarm, you shouldn't say anything about liking stability and security, even if it weren't garbage among software firewalls all software firewalls are inherently less secure and stable than a firmware firewall in your router.
Even if your software firewall works perfectly I can render your machine useless just through brute force because it would still be using your system resources to deal with the attack.
And yes I am of the opinion that open source is on it face more secure then closed source programs as many eyes are looking at the code to find possible problems before it bit the user in the rear end and there is almost no way to hide backdoors either.
This is both a positive and a negative. Black hats can probe code and run zero-day exploits more easily, but white hats can report them as well.
Anywho, don't get me wrong, anyone who can get what they need done on Linux should, in my opinion, merely on the basis of the legal and financial freedom, but the claims of security benefits are greatly exaggerated. Linux fanboys tend to say Linux or open source is a silver bullet for security but that's just not true, and you'll have to keep patching your software.
Patching exists primarily because humans make mistakes or oversights that need fixing when they are discovered, not because of the software development model, in all models these mistakes happen.