Full Disclosure mailing list archives
Re: Hotmail & Passport (.NET Accounts)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 11 May 2003 15:11:30 +1300
Georgi Guninski <guninski () guninski com> wrote:
Back in around 1997/1999 ms credited (almost) anyone who bothered to disclose a bug - check their bulletins. After then this changed. My explanation is that they realized there are *a lot* of bugs left and tried to pressure people who bothered to disclose bugs to them to keep hush until they fix the bugs.
Sure -- as I said "whether you like it [the policy] or not...". It is understandable MS wanting to control^H^H^H^H^H^H^Hmanage vulnerability announcements affecting their products. It is equally understandable, given the history of extensive exploitation of those products, that many users of the products will not feel entirely comfortable with this and thus not surprising that some vulnerability discoverers will act "irresponsibly" in their disclosures. One of the interesting developments to come from this change and the fact that most vulnerability discoverers now seem to play by Microsoft's "rules" is the roughly quarterly (if they can manage holding off that long between them) IE "cumulative updates" rather than the almost weekly patch fest that used to be "IE systems administration". While this may make the patch-appliers happy, and the inherent delay it clearly introduces into the discover/patch/ test/release chain of single issue IE patches has not yet clearly been a contributing factor in a massive incident, I sure hope that folk won't be sucked into bogus "MS released fewer IE patches last year" claims based solely on the year-on-year comparison of the number of patch releases (as indicated by security bulletin count). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Hotmail & Passport (.NET Accounts) Vulnerability Muhammad Faisal Rauf Danka (May 07)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Michael J McCafferty (May 08)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability adf--at--Code511.com (May 08)
- Re: Hotmail & Passport (.NET Accounts) Darren Reed (May 09)
- Re: Hotmail & Passport (.NET Accounts) Ron DuFresne (May 09)
- Re: Hotmail & Passport (.NET Accounts) adf--at--Code511.com (May 09)
- Re: Hotmail & Passport (.NET Accounts) Nick FitzGerald (May 09)
- Re: Hotmail & Passport (.NET Accounts) Georgi Guninski (May 10)
- Re: Hotmail & Passport (.NET Accounts) Nick FitzGerald (May 10)
- Re: Hotmail & Passport (.NET Accounts) Mark J Cox (May 12)
- RE: Hotmail & Passport (.NET Accounts) Ed Carp (May 12)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability adf--at--Code511.com (May 08)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Michael J McCafferty (May 08)
- <Possible follow-ups>
- RE: Hotmail & Passport (.NET Accounts) Vulnerability Christopher F. Herot (May 07)
- RE: Hotmail & Passport (.NET Accounts) Vulnerability Marc Slemko (May 07)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Byrne Ghavalas (May 08)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Suryanto (May 07)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Wayne Chang (Pacific Northwest Software) (May 08)
- RE: Hotmail & Passport (.NET Accounts) Vulnerability Marc Slemko (May 07)
