lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <04BC07D8.5B794419.31B322FD@netscape.net>
From: webheadport80 at netscape.net (webheadport80@...scape.net)
Subject: Absurd Microsoft QA?  The Return of the "username@...sword"...

This was just brought to my attention.  I have to tell you how ridiculous 
the below events are.  See URL link below for yourself.

* February 2, 2004, Microsoft issues an emergency IE cumulative patch 
  (MS04-004) which had three fixes.  As everyone is aware by now... one 
  removed the functionality to utilize "username@...sword:" in URL 
  references which got a lot of hoopla in the industry.
    * This release was outside of Microsoft's own, established monthly  
      schedule for security patches.  The whole infosec industry was 
      dumb-founded by this?  as there was NO new impending threat taking 
      advantage of the IE vulnerabilities this 004 patch fixed.  This made 
      absolutely no sense to release this outside of the established 
      monthly cycle.  
    * Considering that on February 10, 2004?  just one week later?  
      Microsoft would release their scheduled monthly set of security 
      patches?  this causes a lot of frustration and rework for large 
      corporations to address significant Microsoft security patches a week 
      a part as two initiatives instead of combining them into one 
      concerted effort.  
    * Microsoft's defense is that there was an immediate threat.  Well, 
      November 2003 is when the IE vulnerabilities were discovered.  Why 
      weren't these addressed and released then???  Is it accurate to
      assume that Microsoft takes 3 months to address IMMEDIATE threats???    
      The ASN vulnerability (MS04-007) released today by Microsoft is 
      significantly more severe and critical than any of the IE 
      vulnerabilities.
      
* Here's the final straw?  On February 10, 2004?  Microsoft released
  a patch that?  restores the "username@...sword:" functionality in URL 
  references!  
    * It seems they are trying to hide this fact as this is not
  widely publicized and it is NOT being labeled as an IE patch nor a even    
  a security patch!  They're labeling it as an XML patch which is a little 
  shady since it was originally put into the February 2, 2004 IE cumulative 
  security patch!  
* Is it coincidence that Microsoft chose to release the XMLHTTP 
  patch to restore the ?username@...sword:? the DAY OF releasing the 
  February monthly security bulletins??? I think NOT! One could gather
  that it was released the same day to not have a lot of attention to
  drawn to it since everyone would be getting up to speed on the three
  released for February (MS04-005, 006, 007).
* For details see:
     http://support.microsoft.com/default.aspx?scid=kb;en-us;832414
  
* What are we, the consumers, the users, supposed to glean out of these 
  events???  
    * I seriously question Microsoft's QA process if after three months it
      was decided to remove the "username@...sword:" functionality?  only
      to provide a patch to restore it a week after releasing the original
      patch that removed it!  
    * Keep in mind that Microsoft seemed to have MISSED the fact that?
      THEY THEMSELVES use the ?username@...sword:? in their OWN software!!!
      Nice communication and collaboration!!!  Way to go!!!
    * I now have doubts about the quality of today's MS04-007 ASN security
      patch that was released.  Even though Microsoft has been working on 
      this patch since July-August of 2003?  will we it get re-released 
      with another, updated version because all the vulnerabilities were 
      not fixed???  We are seeing a definite pattern in the last 12 months?  
      in addition to the above IE events, do you remember the MS03-026 and
      MS03-039 fiasco?  There are still other high severity vulnerabilities 
      that Microsoft has yet to patch that are still "on their plate" and 
      well overdue.  Just look at eEye's queue of overdue patches!
    * Microsoft is losing a lot of trust in their ability and thoroughness
      of QA, in addition to any comfort there was in a monthly schedule.

If you're in a position of power and/or influence...  we have to express our large dissatisfaction to Microsoft regarding the emergency fashion that MS04-004, IE cumulative, security patch was released outside of the monthly schedule?  just to have another patch restore the "username@...sword:" functionality!  Absurd and unacceptable!!!

WebHead


__________________________________________________________________
New! Unlimited Netscape Internet Service.
Only $9.95 a month -- Sign up today at http://isp.netscape.com/register
Act now to get a personalized email address!

Netscape. Just the Net You Need.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ