| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: fulldisclosure at aphroland.org (nate) Subject: Hotmail & Passport (.NET Accounts) Vulnerability David Vincent said: > ...why? is this a fame thing or are you worried that ppl aren't getting > credit for the vulns they discover and therefore don't have the > intellectual property over said vulns? I coulda swore I read somewhere(maybe it was just an opinion), perhaps sometime last year, MS started trying to crack down more on disclosures, wanting people to "co-operate" more(even if it meant waiting 2-3-4 months for them to come up with a fix), and would only give "credit" to those parties that "co-operated" with them in that manor. which is their right, I don't care either way(I don't use their products anyways). I've noticed at least some of the MS-related security reports seemed to have rather large gaps of time between notification and announcement of available fixes(weeks, months ..). I personally would prefer a more full disclosure stance from vendors (even open source ones) at least announcing that there is a severe problem with app X, and the vendor advises restricting access to it or shutting it down. e.g. the SSH root exploit last year there was a big uproar about it, my linux distribution(debian), was forced to release new versions of the package when infact the version of SSH that shipped with the product WAS NOT VULNERABLE(the affected features did not exist in that version of OpenSSH). The security folk didn't have the information they needed to determine what the problem was. On a similar note, a couple years ago there was a buncha advisories that came out for various ftp servers with regards to "globbing" (the ls */*/*/* bug), debian's port of the openbsd-ftp server remained vulnerable for probably nearly a year without so much as a peep out of the security team. I emailed them several times and conversed directly with a couple debian developers, at least they could of issued an advisory NOT to use that particular package until a fix was available(there are many alternative ftp servers afterall), but there was silence. Their response to me was the problem was in glibc and they were working on a fix for glibc which would fix it, but there was some sort of holdup for the fix. Though I would much rather know a package is vulnerable even if it may not be fixed for 3-4 months so I can stop using it, or at least severely restrict access to the port and monitor it much closer then otherwise would be spent monitoring it. Even if it means updating a security advisory several times, I'd love to see a system that notified immediately upon discovery, and then tracked the status of the fix until it is made available(at least for patches that would take longer then 24 hours to release). Anyone know if MS has ever gotten a patch out in less then 24 hours from notification? I remember reading Samba's response to their most recent troubles I think Jermey Allison(sp?) said they had fixes to the bugs within 2 hours of being notified or something like that though they waited 48-72 hours to give their vendors time to prepare "packaged" fixes before making a formal announcement. nate
Powered by blists - more mailing lists