lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050413151759.GA13799@linux.unixwiz.net>
Date: Wed Apr 13 16:18:04 2005
From: steve at unixwiz.net (Steve Friedl)
Subject: How to Report a Security Vulnerability to
	Microsoft

On Wed, Apr 13, 2005 at 10:54:34AM -0400, bkfsec wrote:
> It doesn't matter how much honey is poured into people's ears (or smoke 
> blown up their asses, if you will), it's the proof that's in the pudding 
> that counts, and the pudding is sour.

Even if you decide, for the sake of discussion, that Microsoft sucks,
there is still a good reason to work with MSFT on disclosure: the users.

I did a survey of various enterprises from 20 to 200,000 seats, and I
found a high correlation to "size of enterprise" and "how long it takes
to patch". Larger enterprises are usually characterized by *more* clueful
staff, but they have such wide-ranging issues - many line-of-business
applications, for instance - that they simply cannot patch overnight.

I was told "in an emergency, we can get everybody patched in 10 days"
by a manager of 200k seats. Otherwise it takes weeks to test and roll
out the patches. Some huge enterprises can patch faster, but it's not
the norm. These folks need all the time they can get.

All the Microsoft folks I've met get really prickly when it's said that
it takes too long to patch, and even though I know about the astonishing
amount of testing required, I happen to think it *does* take too long.

But unfortunately, I don't think there is much of a way to punish/light
a fire under Microsoft without *hurting the users*, so in this respect
it's like economic sanctions against Cuba: it's annoying for Castro,
but hurts the people much worse.

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve@...xwiz.net

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ