Full Disclosure mailing list archives

Re: Hotmail & Passport (.NET Accounts)


From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 11 May 2003 15:11:30 +1300

Georgi Guninski <guninski () guninski com> wrote:

Back in around 1997/1999 ms credited (almost) anyone who bothered to disclose a 
bug - check their bulletins.
After then this changed. My explanation is that they realized there are *a lot* 
of bugs left and tried to pressure people who bothered to disclose bugs to them 
to keep hush until they fix the bugs.

Sure -- as I said "whether you like it [the policy] or not...".

It is understandable MS wanting to control^H^H^H^H^H^H^Hmanage 
vulnerability announcements affecting their products.  It is equally 
understandable, given the history of extensive exploitation of those 
products, that many users of the products will not feel entirely 
comfortable with this and thus not surprising that some vulnerability 
discoverers will act "irresponsibly" in their disclosures.

One of the interesting developments to come from this change and 
the fact that most vulnerability discoverers now seem to play by 
Microsoft's "rules" is the roughly quarterly (if they can manage 
holding off that long between them) IE "cumulative updates" rather 
than the almost weekly patch fest that used to be "IE systems 
administration".  While this may make the patch-appliers happy, and 
the inherent delay it clearly introduces into the discover/patch/ 
test/release chain of single issue IE patches has not yet clearly 
been a contributing factor in a massive incident, I sure hope that 
folk won't be sucked into bogus "MS released fewer IE patches last 
year" claims based solely on the year-on-year comparison of the 
number of patch releases (as indicated by security bulletin count).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: