Re: Microsoft Cries Wolf ( again )

["mattmurphy () kc rr com" <mattmurphy () kc rr com>]

Karl DeBisschop (kdebisschop () alert infoplease com) writes:

> > As for the criticism on Microsoft's blasting researchers who poorly
> > handle security vulnerabilities, most of it is not valid.

> If MS had a better means of reporting the problem, or handling bug
> reports, I'd be more sympathetic.
>
> My only experience with MS bug reporting was this known bug with IE: if
> you configure your web server to negotiate delivery of compressed
> content, IE will tell the server that it accepts a compressed PDF. It
> will then hand off the compressed data stream to acrobat reader,
> aparently without decopmresssing or letting acrobat know the content
> should be decompressed.
>
> About a year ago, I tripped over this issue. (I have since found out it
> is a known bug - see http://www.sitepoint.com/print/1029). In an effort
> to help MS, I spent hours of company time registering to various bug
> reporting services on MS sites - and never found one that would accept
> my bug report because IE is not a paid product. Not that I wanted any
> support - I only wanted to help them out.

Yes, you make an excellent point here -- the general support process is
horrendous.  Unless you've paid for the product, you can't even report a
bug most of the time.  Many people (myself included) have pushed for a
better response to general bug reports.  They currently treat nearly every
issue as a "Technical Support" request.  I can't simply report a bug that I
can reliably reproduce, which is a problem.

However, the security response process typically removes this barrier -- I
have not only been able to submit, but also receive answers to, many
security reports on products that I would not receive support for in the
more general customer support network.  In particular, support for OEM
pre-installs is where things differ quite a bit.  Odds are, if your product
ships with your system, you're basically screwed if trying to seek support
for it.  However, security is more than happy to deal with such issues.  I
really wish support would be more catergorized, e.g, major technical issue
versus a known bug.

> OOTH, if vendors do respond, then radical full disclosure seems to me
> unwarranted, and a source of increased risk. For instance, every bug I
> have reported to PostgreSQL, Red Hat. Mozilla.org, and Ximian
> [Evolution] has been acknowleged and fixed - always within a few months,
> usually within days. It's like any relationship -- the way you are
> treated reflects the trust you have earned.
>
> Matt, you make some valid points. But ISTM they hinge on MS being 
> responsive to bug reports. In my limited experience, they are not.

Well, Microsoft's customer support certainly does tend to leave a sour
taste in the mouths of most bug reporters.  Unless your complaint is a
complete showstopper, and you have a license that enables you to receive
support directory, you probably will receive no response from Microsoft.

Security, on the other hand, is one of the most responsive parts of the
company I have seen -- at least initially.  When sending a security report
to Microsoft, the longest I've had to wait for a reply was just over two
days.  The reason for even that much delay was that I sent my report in on
a Friday night -- at least in Redmond's time zone. ;-)

While there have been instances where communications appear to have been
"lost", in reality that is just the extreme workload of MSRC showing
through.  They do track and work with each reporter, but communication does
tend to slacken a bit.  However, they are responsive to reporters who
request the status of tracked issues.  In my experience, MSRC really does
work dilligently; their attitude seems to be that those who really need
information will request it.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html