Microsoft explains why killbits are needed #BlackHat

From the ‘insightful comments‘ files:

Yesterday Microsoft put out an out of band release to deal with a killbit issue that will be discussed today at the Black Hat security conference in Las Vegas.

I caught up with Mike Reavey Director of the Microsoft Security Response Center (in a hallway in Caesars Palace where Black Hat is being held) to talk about how Microsoft deals with security research – and how he sees the whole kill bit issue. I’ve got a three minute slice of the full interview below, and I’ve also pulled out what I see as the really noteworthy quotes as well.

“The killbit is still a very important security function when you’re dealing with ActiveX controls,” Reavey told me. “The right way to fix software problems is in the code itself, so the same practices we have around secure development will help to mitigate threats beyond just using the killbit.”

That does make good sense, but wait…Reavey has more insights to share.

“The other thing is you can’t eliminate all possible vulnerabilities in all possible parts of software,” Reavey said. “You can work to mitigate them.”

In the clip below, in addition to killbit, (the latter part of the video), Reavey also explains how Microsoft works with security researchers (including those that helped to disclose the killbit issue).

News Around the Web