Full Disclosure mailing list archives
RE: Hotmail & Passport (.NET Accounts) Vulnerability
From: "nate" <fulldisclosure () aphroland org>
Date: Sat, 10 May 2003 00:59:46 -0700 (PDT)
David Vincent said:
...why? is this a fame thing or are you worried that ppl aren't getting credit for the vulns they discover and therefore don't have the intellectual property over said vulns?
I coulda swore I read somewhere(maybe it was just an opinion), perhaps sometime last year, MS started trying to crack down more on disclosures, wanting people to "co-operate" more(even if it meant waiting 2-3-4 months for them to come up with a fix), and would only give "credit" to those parties that "co-operated" with them in that manor. which is their right, I don't care either way(I don't use their products anyways). I've noticed at least some of the MS-related security reports seemed to have rather large gaps of time between notification and announcement of available fixes(weeks, months ..). I personally would prefer a more full disclosure stance from vendors (even open source ones) at least announcing that there is a severe problem with app X, and the vendor advises restricting access to it or shutting it down. e.g. the SSH root exploit last year there was a big uproar about it, my linux distribution(debian), was forced to release new versions of the package when infact the version of SSH that shipped with the product WAS NOT VULNERABLE(the affected features did not exist in that version of OpenSSH). The security folk didn't have the information they needed to determine what the problem was. On a similar note, a couple years ago there was a buncha advisories that came out for various ftp servers with regards to "globbing" (the ls */*/*/* bug), debian's port of the openbsd-ftp server remained vulnerable for probably nearly a year without so much as a peep out of the security team. I emailed them several times and conversed directly with a couple debian developers, at least they could of issued an advisory NOT to use that particular package until a fix was available(there are many alternative ftp servers afterall), but there was silence. Their response to me was the problem was in glibc and they were working on a fix for glibc which would fix it, but there was some sort of holdup for the fix. Though I would much rather know a package is vulnerable even if it may not be fixed for 3-4 months so I can stop using it, or at least severely restrict access to the port and monitor it much closer then otherwise would be spent monitoring it. Even if it means updating a security advisory several times, I'd love to see a system that notified immediately upon discovery, and then tracked the status of the fix until it is made available(at least for patches that would take longer then 24 hours to release). Anyone know if MS has ever gotten a patch out in less then 24 hours from notification? I remember reading Samba's response to their most recent troubles I think Jermey Allison(sp?) said they had fixes to the bugs within 2 hours of being notified or something like that though they waited 48-72 hours to give their vendors time to prepare "packaged" fixes before making a formal announcement. nate _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Hotmail & Passport (.NET Accounts) Vulnerab ility David Vincent (May 09)
- RE: Hotmail & Passport (.NET Accounts) Vulnerability nate (May 10)