lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1057112655.12085.35.camel@miles.debisschop.net>
From: karl at debisschop.net (Karl DeBisschop)
Subject: Microsoft Cries Wolf ( again )

On Tue, 2003-07-01 at 20:18, mattmurphy@...rr.com wrote:

> As for the criticism on Microsoft's blasting researchers who poorly handle
> security vulnerabilities, most of it is not valid. 

If MS had a better means of reporting the problem, or handling bug
reports, I'd be more sympathetic.

My only experience with MS bug reporting was this known bug with IE: if
you configure your web server to negotiate delivery of compressed
content, IE will tell the server that it accepts a compressed PDF. It
will then hand off the compressed data stream to acrobat reader,
aparently without decopmresssing or letting acrobat know the content
should be decompressed.

About a year ago, I tripped over this issue. (I have since found out it
is a known bug - see http://www.sitepoint.com/print/1029). In an effort
to help MS, I spent hours of company time registering to various bug
reporting services on MS sites - and never found one that would accept
my bug report because IE is not a paid product. Not that I wanted any
support - I only wanted to help them out.

In the end, I emailed support@...rosoft or some such valid email
address. A year later, I am still waiting for a response from MS. No
email was bounced, and there was not even an autoresponder. I have not
tried the experiment recently, but this issue still is not in their
knowlege base, and I still have no reply.

If this is the experience of the typical security researcher, it seems
to me that radical full disclosure is a reasonable response - if the
vendor will not provide the tools for the users to protect themselves,
then the users must band together for self preservation.

OOTH, if vendors do respond, then radical full disclosure seems to me
unwarranted, and a source of increased risk. For instance, every bug I
have reported to PostgreSQL, Red Hat. Mozilla.org, and Ximian
[Evolution] has been acknowleged and fixed - always within a few months,
usually within days. It's like any relationship -- the way you are
treated reflects the trust you have earned.

Matt, you make some valid points. But ISTM they hinge on MS being 
responsive to bug reports. In my limited experience, they are not.

--
Karl


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ