Very well written. Also quite worrying given they're supposed to be a security company and these kinds of issues are well known.
Then again it does seem like the entire universe applies "eh probably nobody will try and hack it" to services listening on local TCP interfaces.
They certainly don't care about multi-user machines, though I suppose there are so many local root exploits these days you're basically trusting your users anyway in that situation.
Linux is used by by docent "security companies" and still has vulnerabilities from time to time. So does Apple in the products where their care about security, etc.
More important are three things to realize:
1. their handling of the incident, which wasn't just fast but you could say absurdly fast to a point that I'm pretty sure multiple employees dropped everything the moment they read the mail to solely focused on fixing and analyzing it
2. it's Windows only (at least it's main problem is), coming from a workaround for a feature "missing" in windows from a company which is relative young and started out in the Linux/UNIX space.
3. it is exploitable due to a fundamental design flaw of browsers
Or what I'm trying to say: It isn't that surprising (or worrying) that such a thing happened, what matters is how they handle it and make sure that it will not happen again.
It's not missing. Windows has named pipes. They just don't use the same API as Unix sockets so you would have to do some work to do it properly (or use an existing library that abstracts both interfaces).
In any case Windows has had support for Unix sockets since 2017 so there's really no excuse.
> Linux is used by by docent "security companies" and still has vulnerabilities from time to time. So does Apple in the products where their care about security, etc.
Right but neither of them are companies whose sole product is a security product.
I agree their response time is good - they probably realised how bad it looks!
Then again it does seem like the entire universe applies "eh probably nobody will try and hack it" to services listening on local TCP interfaces.
They certainly don't care about multi-user machines, though I suppose there are so many local root exploits these days you're basically trusting your users anyway in that situation.