[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1057112655.12085.35.camel@miles.debisschop.net>
From: karl at debisschop.net (Karl DeBisschop)
Subject: Microsoft Cries Wolf ( again )
On Tue, 2003-07-01 at 20:18, mattmurphy@...rr.com wrote:
> As for the criticism on Microsoft's blasting researchers who poorly handle
> security vulnerabilities, most of it is not valid.
If MS had a better means of reporting the problem, or handling bug
reports, I'd be more sympathetic.
My only experience with MS bug reporting was this known bug with IE: if
you configure your web server to negotiate delivery of compressed
content, IE will tell the server that it accepts a compressed PDF. It
will then hand off the compressed data stream to acrobat reader,
aparently without decopmresssing or letting acrobat know the content
should be decompressed.
About a year ago, I tripped over this issue. (I have since found out it
is a known bug - see http://www.sitepoint.com/print/1029). In an effort
to help MS, I spent hours of company time registering to various bug
reporting services on MS sites - and never found one that would accept
my bug report because IE is not a paid product. Not that I wanted any
support - I only wanted to help them out.
In the end, I emailed support@...rosoft or some such valid email
address. A year later, I am still waiting for a response from MS. No
email was bounced, and there was not even an autoresponder. I have not
tried the experiment recently, but this issue still is not in their
knowlege base, and I still have no reply.
If this is the experience of the typical security researcher, it seems
to me that radical full disclosure is a reasonable response - if the
vendor will not provide the tools for the users to protect themselves,
then the users must band together for self preservation.
OOTH, if vendors do respond, then radical full disclosure seems to me
unwarranted, and a source of increased risk. For instance, every bug I
have reported to PostgreSQL, Red Hat. Mozilla.org, and Ximian
[Evolution] has been acknowleged and fixed - always within a few months,
usually within days. It's like any relationship -- the way you are
treated reflects the trust you have earned.
Matt, you make some valid points. But ISTM they hinge on MS being
responsive to bug reports. In my limited experience, they are not.
--
Karl
Powered by blists - more mailing lists