Bugtraq mailing list archives
Re: Fwd: Information on MS99-022
From: Russ.Cooper () RC ON CA (Russ)
Date: Mon, 5 Jul 1999 02:52:07 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just to keep things straight around here...I don't filter anyone's posts, I moderate a mailing list which has a lot of messages from a lot of people dropped on the floor for a lot of reasons. There wasn't 10 minutes between the release of MS99-022 and the time I had Microsoft, on the phone over the disclosure issue. I stated my case, that Microsoft must release "signature" details of internally discovered vulnerabilities to "the public", and was told there was a discussion going to be held on the issue. I believe I stated the case well, and that my intentions and recommendation on how to do this best were heard. It matters not who receives the full details, as long as they get to the public in a timely fashion. I don't feel that full and immediate disclosure is always necessary, or prudent (and neither does eEye), but its crucial that they do get into the public's hands. Neither Microsoft, nor ICSA, can assure anyone that any mechanism for disclosure is going to reduce, or eliminate, public disclosure...therefore any attempts at doing so from the beginning are, as someone else already said, Security By Obscurity. I'm as unhappy as everyone else that Microsoft appear to have chosen this route to the disclosure of internally discovered vulnerabilities. This will become even more obvious over the next few weeks, unfortunately. Although discussions, held recently during the NTBugtraq Party, may have some influence on their future disclosures...we can only hope. If anyone is going to "re-release Microsoft's advisories with full details", that's great. Every worthwhile post is going to make it to NTBugtraq. I will say this though, I do not believe that any such "re-release" can possibly provide us with the information we *need* and *demand* from Microsoft. It goes without saying that Microsoft have, for a very long time, been releasing what we would call "security fixes" within service packs without making any announcements. The fact that they do, now, provide a Security Bulletin is a Good Thing(tm). They say their customers don't want them "telling hackers how to do a better job". I say we can't possible know how good a job they, Microsoft, are doing without knowing more about vulnerabilities. Each Security Bulletin about an internally discovered vulnerability that is released without sufficient "signature" details erodes their credibility amongst the community of users who, possibly, may be the only ones trusted to say "Yes" or "No" to NT deployment in environments requiring security, stability, or integrity. "Trust" doesn't come exclusively from the availability of a fix. Its something earned and enhanced through the dissemination of accurate and timely information. Whether or not you, the individual Bugtraq reader, trust Microsoft or not isn't relevant here. Microsoft is less trustworthy if we, "the public", are not trusted with this information, period. Cheers, Russ - NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBN4BWGM+Ua7J6A+woEQKPewCg3RS9gsSHHYops2y6PG7E2EnYJhQAoMYQ BvgCqmtjae9+GUvE4BPO7+ce =7SrQ -----END PGP SIGNATURE-----
Current thread:
- IGMP fragmentation bug in Windows 98/2000, (continued)
- IGMP fragmentation bug in Windows 98/2000 Coolio (Jul 03)
- Re: IGMP fragmentation bug in Windows 98/2000 Steve (Jul 08)
- PR from MS about BO2K Christopher Schulte (Jul 10)
- ip stack bug in windows kod.c(kiss of death) klepto (Jul 03)
- Re: Fwd: Information on MS99-022 Renaud Deraison (Jul 05)
- Re: Fwd: Information on MS99-022 Weld Pond (Jul 05)
- Re: Fwd: Information on MS99-022 Darren Reed (Jul 04)
- Re: Fwd: Information on MS99-022 Vanja Hrustic (Jul 04)
- Re: Fwd: Information on MS99-022 Mike C. (Jul 04)
- Re: Fwd: Information on MS99-022 Marc (Jul 03)
- Re: Fwd: Information on MS99-022 Russ (Jul 04)
- Re: Fwd: Information on MS99-022 Aleph One (Jul 05)