Full Disclosure mailing list archives
Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
From: Benjamin Franz <jfranz () freerun com>
Date: Thu, 10 Jun 2010 11:20:56 -0700
On 06/10/2010 09:26 AM, Susan Bradley wrote:
You commented that Microsoft needs to address a communication problem. It's irrelevant to the full disclosure issue in my mind. I'd honestly like to know if there is a break down in communication at the MSRC that needs to be addressed. It appears there is one?
No. He didn't. What he said was: "Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports." That sounds like he is suggesting that companies put pressure on Microsoft to invest more resources in external security reports to me. Microsoft has historically been exceedingly slow to address any reported vulnerabilities *except when people light a fire under them by publishing exploits*. Anything less typically takes months to years to fix. Even publicly shaming Microsoft isn't always enough. There are known, serious, published vulnerabilities that Microsoft didn't fix for *years*. I personally found and publicized one of them in 1998 - which *8 years later* was still not fixed <URL:http://en.wikipedia.org/wiki/Cross-site_cooking> It isn't about *communication*, it's about Microsoft treating external reports seriously and *taking action in a timely way - even if they don't have an 'exploit in hand'*. Tavis indicated he suspects that the 'black hats' already know about this particular exploit (IOW he thinks it is a '0-day' exploit already loose in the wild). So who, exactly, would be protected by his *NOT* publishing it? End users? They are probably already being exploited by it. -- Benjamin Franz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly, (continued)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Susan Bradley (Jun 10)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly musnt live (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Susan Bradley (Jun 10)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly musnt live (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly musnt live (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Tavis Ormandy (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Susan Bradley (Jun 10)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Tavis Ormandy (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Susan Bradley (Jun 10)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Christian Sciberras (Jun 10)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly musnt live (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Benjamin Franz (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Christian Sciberras (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly John Jacobs (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Benjamin Franz (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Benji (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly T Biehn (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly musnt live (Jun 11)
- Message not available
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly T Biehn (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly musnt live (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly T Biehn (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly musnt live (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Susan Bradley (Jun 10)