lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4220E15D.8090802@pacbell.net>
Date: Sat, 26 Feb 2005 12:51:41 -0800
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@...bell.net>
To: "Jay D. Dyson" <jdyson@...achery.net>
Cc: Bugtraq <bugtraq@...urityfocus.com>,
	Paul <paul@...yhats.cjb.net>, Sonny.Discini@...tgomerycountymd.gov
Subject: Re: Office 10 applications & flashdrives can be used to browse  
 	restricted drives


Go back and read the original post.

Whether or NOT this is a true vulnerability....

"VENDOR RESPONSE
This issue was reported to Microsoft on Feb 11, 2005, acknowledged by
support, and as of today our best efforts to get a hotfix (or even a
commitment to produce a hotfix at some later date) have been fruitless. "

So let's see email sent 2/10 to secure@...rosoft.com [you did contact 
secure@ right?] and on 2/23 since you received no patch [13 days for 
patch testing...dude...get real] you blasted this to a listserve?

I emailed Sonny on the 23rd asking if he wanted a fast patch that broke 
stuff or a tested patch.  He's yet to respond to me on that question.

"If" this is a issue, "If" it needs a patch, Sonny didn't even let a 
"Patch Tuesday" go by before blasting.

Whether or not you want to cut Microsoft some slack... there's a process 
of ethical and responsible disclosure that I would expect Sonny as a 
representative of a governmental agency would understand.  He not only 
put his own government computers at risk but others in this disclosure, yes?

How about cutting us Admins some slack even if you "don't" cut Redmond some?

Susan






Jay D. Dyson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 25 Feb 2005, Paul wrote:
>
>> Seriously, people, cut Microsoft some slack. They're doing the best 
>> they can.
>
>
>     Considering that Microsoft is a multi-billion dollar corporation, 
> I cannot agree that it deserves any slack.  If Microsoft can afford to 
> sell software that leaves its customers at risk, it can afford to 
> issue hotfixes to remedy the problems that it created.  And I don't 
> buy into the "get the Service Pack" argument after having dealt with 
> the ridiculously FUBAR'd mess called SP2 for XP that went down last year.
>
>     Bottom line: Microsoft customers are paying gourmet prices for 
> Redmond's products and are getting McDonald's quality for security.
>
> - -Jay
>
>   (    (                                                        _______
>   ))   ))   .-"There's always time for a good cup of coffee"-.   
> >====<--.
> C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@...achery.net -----<) |    = 
> |-'
>  `--' `--'  `-I just started World War III.  You're welcome.-'  `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQFCILLlBYoRACwSF0cRAmorAJwNfCme2RBnV6rrqGqTjHMH/2friwCeMZjH
> OtuTdoBHOvXjZSg0kSOfHKE=
> =ENFp
> -----END PGP SIGNATURE-----
>

-- 
Chapter 4 of The Complete Patch Management Book: 
https://www.ecora.com/ecora/jump/pm149.asp

So why is it the only book on NT Event Logging is out of print?
http://tinyurl.com/3kwc2

And if you don't know about www.eventid.net You should!



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ