lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4C112D08.7020504@freerun.com>
Date: Thu, 10 Jun 2010 11:20:56 -0700
From: Benjamin Franz <jfranz@...erun.com>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Windows Help Centre Handles
 Malformed Escape Sequences Incorrectly

On 06/10/2010 09:26 AM, Susan Bradley wrote:
> You commented that Microsoft needs to address a communication 
> problem.  It's irrelevant to the full disclosure issue in my mind.
>
> I'd honestly like to know if there is a break down in communication at 
> the MSRC that needs to be addressed.  It appears there is one?
>

No. He didn't. What he said was: "Those of you with large support 
contracts are encouraged to tell your support  representatives that you 
would like to see Microsoft invest in developing  processes for faster 
responses to external security reports." That sounds like he is 
suggesting that companies put pressure on Microsoft to invest more 
resources in external security reports to me.

Microsoft has historically been exceedingly slow to address any reported 
vulnerabilities *except when people light a fire under them by 
publishing exploits*. Anything less typically takes months to years to 
fix. Even publicly shaming Microsoft isn't always enough. There are 
known, serious, published vulnerabilities that Microsoft didn't fix for 
*years*. I personally found and publicized one of them in 1998 - which 
*8 years later* was still not fixed 
<URL:http://en.wikipedia.org/wiki/Cross-site_cooking>

It isn't about *communication*, it's about Microsoft treating external 
reports seriously and *taking action in a timely way - even if they 
don't have an 'exploit in hand'*.

Tavis indicated he suspects that the 'black hats' already know about 
this particular exploit (IOW he thinks it is a '0-day' exploit already 
loose in the wild).

So who, exactly, would be protected by his *NOT* publishing it?  End 
users? They are probably already being exploited by it.

-- 
Benjamin Franz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ