[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimTtGvpt539SGMXXjny4Uwt1WW4C7cuPv3HrhNN@mail.gmail.com>
Date: Fri, 11 Jun 2010 11:40:55 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Benjamin Franz <jfranz@...erun.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Microsoft Windows Help Centre Handles
Malformed Escape Sequences Incorrectly
In my humble opinion, he could have waited a couple more days just in case
Microsoft decided to do the unprecedented.
In which case, I progressive change of policies at Microsoft are better than
a couple of users getting hacked from pron sites...
Cheers.
On Thu, Jun 10, 2010 at 8:20 PM, Benjamin Franz <jfranz@...erun.com> wrote:
> On 06/10/2010 09:26 AM, Susan Bradley wrote:
> > You commented that Microsoft needs to address a communication
> > problem. It's irrelevant to the full disclosure issue in my mind.
> >
> > I'd honestly like to know if there is a break down in communication at
> > the MSRC that needs to be addressed. It appears there is one?
> >
>
> No. He didn't. What he said was: "Those of you with large support
> contracts are encouraged to tell your support representatives that you
> would like to see Microsoft invest in developing processes for faster
> responses to external security reports." That sounds like he is
> suggesting that companies put pressure on Microsoft to invest more
> resources in external security reports to me.
>
> Microsoft has historically been exceedingly slow to address any reported
> vulnerabilities *except when people light a fire under them by
> publishing exploits*. Anything less typically takes months to years to
> fix. Even publicly shaming Microsoft isn't always enough. There are
> known, serious, published vulnerabilities that Microsoft didn't fix for
> *years*. I personally found and publicized one of them in 1998 - which
> *8 years later* was still not fixed
> <URL:http://en.wikipedia.org/wiki/Cross-site_cooking>
>
> It isn't about *communication*, it's about Microsoft treating external
> reports seriously and *taking action in a timely way - even if they
> don't have an 'exploit in hand'*.
>
> Tavis indicated he suspects that the 'black hats' already know about
> this particular exploit (IOW he thinks it is a '0-day' exploit already
> loose in the wild).
>
> So who, exactly, would be protected by his *NOT* publishing it? End
> users? They are probably already being exploited by it.
>
> --
> Benjamin Franz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists