Full Disclosure mailing list archives
Re: How to Report a Security Vulnerability to Microsoft
From: Steve Friedl <steve () unixwiz net>
Date: Wed, 13 Apr 2005 08:17:59 -0700
On Wed, Apr 13, 2005 at 10:54:34AM -0400, bkfsec wrote:
It doesn't matter how much honey is poured into people's ears (or smoke blown up their asses, if you will), it's the proof that's in the pudding that counts, and the pudding is sour.
Even if you decide, for the sake of discussion, that Microsoft sucks, there is still a good reason to work with MSFT on disclosure: the users. I did a survey of various enterprises from 20 to 200,000 seats, and I found a high correlation to "size of enterprise" and "how long it takes to patch". Larger enterprises are usually characterized by *more* clueful staff, but they have such wide-ranging issues - many line-of-business applications, for instance - that they simply cannot patch overnight. I was told "in an emergency, we can get everybody patched in 10 days" by a manager of 200k seats. Otherwise it takes weeks to test and roll out the patches. Some huge enterprises can patch faster, but it's not the norm. These folks need all the time they can get. All the Microsoft folks I've met get really prickly when it's said that it takes too long to patch, and even though I know about the astonishing amount of testing required, I happen to think it *does* take too long. But unfortunately, I don't think there is much of a way to punish/light a fire under Microsoft without *hurting the users*, so in this respect it's like economic sanctions against Cuba: it's annoying for Castro, but hurts the people much worse. Steve -- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve () unixwiz net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: How to Report a Security VulnerabilitytoMicrosoft, (continued)
- Re: How to Report a Security VulnerabilitytoMicrosoft mcbain (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft Valdis . Kletnieks (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft mcbain (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft dk (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft Valdis . Kletnieks (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft Georgi Guninski (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft mcbain (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft dk (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft bkfsec (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Steve Friedl (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Georgi Guninski (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Steve Friedl (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Danny (Apr 13)
- Re: How to Report a Security VulnerabilitytoMicrosoft dk (Apr 19)
- Re: How to Report a Security VulnerabilitytoMicrosoft Georgi Guninski (Apr 19)