lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Hotmail & Passport (.NET Accounts)

Georgi Guninski <guninski@...inski.com> wrote:

> Back in around 1997/1999 ms credited (almost) anyone who bothered to disclose a 
> bug - check their bulletins.
> After then this changed. My explanation is that they realized there are *a lot* 
> of bugs left and tried to pressure people who bothered to disclose bugs to them 
> to keep hush until they fix the bugs.

Sure -- as I said "whether you like it [the policy] or not...".

It is understandable MS wanting to control^H^H^H^H^H^H^Hmanage 
vulnerability announcements affecting their products.  It is equally 
understandable, given the history of extensive exploitation of those 
products, that many users of the products will not feel entirely 
comfortable with this and thus not surprising that some vulnerability 
discoverers will act "irresponsibly" in their disclosures.

One of the interesting developments to come from this change and 
the fact that most vulnerability discoverers now seem to play by 
Microsoft's "rules" is the roughly quarterly (if they can manage 
holding off that long between them) IE "cumulative updates" rather 
than the almost weekly patch fest that used to be "IE systems 
administration".  While this may make the patch-appliers happy, and 
the inherent delay it clearly introduces into the discover/patch/ 
test/release chain of single issue IE patches has not yet clearly 
been a contributing factor in a massive incident, I sure hope that 
folk won't be sucked into bogus "MS released fewer IE patches last 
year" claims based solely on the year-on-year comparison of the 
number of patch releases (as indicated by security bulletin count).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ