Close your Twitter and FriendFeed; drop that iPhone; put your shoes on and order some pizza its gonna be a late night full of patching DNS servers. At least that's what you'd think I'd be writing about today. Multiple DNS implementations are vulnerable to cache poisoning and it is a relatively big deal. The bigger deal that we seem to be overlooking is Microsoft's role in this event and how the competition stacks up.

Today is July 8th 2008. Its what we call Patch Tuesday and by normal accounts it's a day that people like myself, who work professionally in information security, already know quite clearly what is on today's plate. However, today's patch Tuesday is a bit different. Thanks to a number of influential security professionals, we have a significant multi vendor and multi agency coordinated release going on. Today, Microsoft is not the only game in town today.

When we talk about today's DNS vulnerability announcement, I'm not fretting over my Windows servers or my XP laptops. The vendors we need to be concerned with today are the 90+ other companies listed on the CERT advisory that have provided no status information regarding their products. Many of these vendors were apparently notified in April and May of 2008. Three months later, the advisory is now public and many high profile vendors have the dreaded "unknown" status. I'll save you the time to read the vendor list and highlight a trend I've talked about before:

Cisco: Vulnerable
Foundry: Not Vulnerable
ISC: Vulnerable
Juniper: Vulnerable
Microsoft: Vulnerable
Nominum: Vulnerable
Power DNS: Not Vulnerable
Sun: Vulnerable
Apple: Unknown

That is correct. The company, which insists it, has the most secure operating system. The company, which continues to try and penetrate the enterprise computing market, is listed as unknown. This is also the same company, which lost its splashy smartphone to a previously patched bug in an open source project. Not much later, its brand new laptop keeled over in less than 2 minutes at PWN2OWN.

In comparison, we know that back in March engineers from major vendors met at Microsoft to plan and coordinate today's events. Further, not only do we know what Microsoft products are vulnerable, but we also have patches. The reason for this is simple - Microsoft is an enterprise vendor:

Microsoft has a predictable and regular patch release cycle.
Microsoft communicates to the public about it security issues.
Microsoft has a publicly readable and defined security glossary of terms.
Microsoft has a well-run security development life cycle.

We may not always like Microsoft or Microsoft products (hint: please extend the support of XP), but today's round goes clearly to Microsoft.

Updates

7/9/08: Add Vendor References

http://sunsolve.sun.com/search/document.do?assetkey=1-26-239392-1
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
http://www.isc.org/index.pl?/sw/bind/bind-security.php
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx