lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 11 Jun 2010 11:40:55 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Benjamin Franz <jfranz@...erun.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Microsoft Windows Help Centre Handles
	Malformed Escape Sequences Incorrectly

In my humble opinion, he could have waited a couple more days just in case
Microsoft decided to do the unprecedented.
In which case, I progressive change of policies at Microsoft are better than
a couple of users getting hacked from pron sites...

Cheers.

On Thu, Jun 10, 2010 at 8:20 PM, Benjamin Franz <jfranz@...erun.com> wrote:

> On 06/10/2010 09:26 AM, Susan Bradley wrote:
> > You commented that Microsoft needs to address a communication
> > problem.  It's irrelevant to the full disclosure issue in my mind.
> >
> > I'd honestly like to know if there is a break down in communication at
> > the MSRC that needs to be addressed.  It appears there is one?
> >
>
> No. He didn't. What he said was: "Those of you with large support
> contracts are encouraged to tell your support  representatives that you
> would like to see Microsoft invest in developing  processes for faster
> responses to external security reports." That sounds like he is
> suggesting that companies put pressure on Microsoft to invest more
> resources in external security reports to me.
>
> Microsoft has historically been exceedingly slow to address any reported
> vulnerabilities *except when people light a fire under them by
> publishing exploits*. Anything less typically takes months to years to
> fix. Even publicly shaming Microsoft isn't always enough. There are
> known, serious, published vulnerabilities that Microsoft didn't fix for
> *years*. I personally found and publicized one of them in 1998 - which
> *8 years later* was still not fixed
> <URL:http://en.wikipedia.org/wiki/Cross-site_cooking>
>
> It isn't about *communication*, it's about Microsoft treating external
> reports seriously and *taking action in a timely way - even if they
> don't have an 'exploit in hand'*.
>
> Tavis indicated he suspects that the 'black hats' already know about
> this particular exploit (IOW he thinks it is a '0-day' exploit already
> loose in the wild).
>
> So who, exactly, would be protected by his *NOT* publishing it?  End
> users? They are probably already being exploited by it.
>
> --
> Benjamin Franz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ