Full Disclosure mailing list archives
Absurd Microsoft QA? The Return of the "username@password"...
From: webheadport80 () netscape net
Date: Wed, 11 Feb 2004 23:20:25 -0500
This was just brought to my attention. I have to tell you how ridiculous the below events are. See URL link below for yourself. * February 2, 2004, Microsoft issues an emergency IE cumulative patch (MS04-004) which had three fixes. As everyone is aware by now... one removed the functionality to utilize "username@password:" in URL references which got a lot of hoopla in the industry. * This release was outside of Microsoft's own, established monthly schedule for security patches. The whole infosec industry was dumb-founded by this… as there was NO new impending threat taking advantage of the IE vulnerabilities this 004 patch fixed. This made absolutely no sense to release this outside of the established monthly cycle. * Considering that on February 10, 2004… just one week later… Microsoft would release their scheduled monthly set of security patches… this causes a lot of frustration and rework for large corporations to address significant Microsoft security patches a week a part as two initiatives instead of combining them into one concerted effort. * Microsoft's defense is that there was an immediate threat. Well, November 2003 is when the IE vulnerabilities were discovered. Why weren't these addressed and released then??? Is it accurate to assume that Microsoft takes 3 months to address IMMEDIATE threats??? The ASN vulnerability (MS04-007) released today by Microsoft is significantly more severe and critical than any of the IE vulnerabilities. * Here's the final straw… On February 10, 2004… Microsoft released a patch that… restores the "username@password:" functionality in URL references! * It seems they are trying to hide this fact as this is not widely publicized and it is NOT being labeled as an IE patch nor a even a security patch! They're labeling it as an XML patch which is a little shady since it was originally put into the February 2, 2004 IE cumulative security patch! * Is it coincidence that Microsoft chose to release the XMLHTTP patch to restore the “username@password:” the DAY OF releasing the February monthly security bulletins??? I think NOT! One could gather that it was released the same day to not have a lot of attention to drawn to it since everyone would be getting up to speed on the three released for February (MS04-005, 006, 007). * For details see: http://support.microsoft.com/default.aspx?scid=kb;en-us;832414 * What are we, the consumers, the users, supposed to glean out of these events??? * I seriously question Microsoft's QA process if after three months it was decided to remove the "username@password:" functionality… only to provide a patch to restore it a week after releasing the original patch that removed it! * Keep in mind that Microsoft seemed to have MISSED the fact that… THEY THEMSELVES use the “username@password:” in their OWN software!!! Nice communication and collaboration!!! Way to go!!! * I now have doubts about the quality of today's MS04-007 ASN security patch that was released. Even though Microsoft has been working on this patch since July-August of 2003… will we it get re-released with another, updated version because all the vulnerabilities were not fixed??? We are seeing a definite pattern in the last 12 months… in addition to the above IE events, do you remember the MS03-026 and MS03-039 fiasco? There are still other high severity vulnerabilities that Microsoft has yet to patch that are still "on their plate" and well overdue. Just look at eEye's queue of overdue patches! * Microsoft is losing a lot of trust in their ability and thoroughness of QA, in addition to any comfort there was in a monthly schedule. If you're in a position of power and/or influence... we have to express our large dissatisfaction to Microsoft regarding the emergency fashion that MS04-004, IE cumulative, security patch was released outside of the monthly schedule… just to have another patch restore the "username@password:" functionality! Absurd and unacceptable!!! WebHead __________________________________________________________________ New! Unlimited Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Act now to get a personalized email address! Netscape. Just the Net You Need. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Absurd Microsoft QA? The Return of the "username@password"... webheadport80 (Feb 11)