Full Disclosure mailing list archives
Re: Microsoft Cries Wolf ( again )
From: Karl DeBisschop <karl () debisschop net>
Date: 01 Jul 2003 22:24:16 -0400
On Tue, 2003-07-01 at 20:18, mattmurphy () kc rr com wrote:
As for the criticism on Microsoft's blasting researchers who poorly handle security vulnerabilities, most of it is not valid.
If MS had a better means of reporting the problem, or handling bug reports, I'd be more sympathetic. My only experience with MS bug reporting was this known bug with IE: if you configure your web server to negotiate delivery of compressed content, IE will tell the server that it accepts a compressed PDF. It will then hand off the compressed data stream to acrobat reader, aparently without decopmresssing or letting acrobat know the content should be decompressed. About a year ago, I tripped over this issue. (I have since found out it is a known bug - see http://www.sitepoint.com/print/1029). In an effort to help MS, I spent hours of company time registering to various bug reporting services on MS sites - and never found one that would accept my bug report because IE is not a paid product. Not that I wanted any support - I only wanted to help them out. In the end, I emailed support@microsoft or some such valid email address. A year later, I am still waiting for a response from MS. No email was bounced, and there was not even an autoresponder. I have not tried the experiment recently, but this issue still is not in their knowlege base, and I still have no reply. If this is the experience of the typical security researcher, it seems to me that radical full disclosure is a reasonable response - if the vendor will not provide the tools for the users to protect themselves, then the users must band together for self preservation. OOTH, if vendors do respond, then radical full disclosure seems to me unwarranted, and a source of increased risk. For instance, every bug I have reported to PostgreSQL, Red Hat. Mozilla.org, and Ximian [Evolution] has been acknowleged and fixed - always within a few months, usually within days. It's like any relationship -- the way you are treated reflects the trust you have earned. Matt, you make some valid points. But ISTM they hinge on MS being responsive to bug reports. In my limited experience, they are not. -- Karl _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Microsoft Cries Wolf ( again ), (continued)
- RE: Microsoft Cries Wolf ( again ) Schmehl, Paul L (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Shawn McMahon (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Kristian Hermansen (Jul 06)
- Re: Microsoft Cries Wolf ( again ) gandalf94305 (Jul 06)
- Re: Microsoft Cries Wolf ( again ) mattmurphy () kc rr com (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Karl DeBisschop (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Geoincidents (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Justin Shin (Jul 02)
- Vote with your dollars (Was: Re: Microsoft Cries Wolf ( again )) Peter Busser (Jul 02)
- Re: Microsoft Cries Wolf ( again ) andrewg (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Karl DeBisschop (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Schmehl, Paul L (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Karl DeBisschop (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 03)
- Re: Microsoft Cries Wolf ( again ) Peter Busser (Jul 04)
- Re: Microsoft Cries Wolf ( again ) morning_wood (Jul 04)
- Re: Microsoft Cries Wolf ( again ) Nick FitzGerald (Jul 04)
- Re: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 12)
- RE: Microsoft Cries Wolf ( again ) Scott (Jul 13)
- RE: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 13)
- RE: Microsoft Cries Wolf ( again ) Scott (Jul 13)
- Re: Microsoft Cries Wolf ( again ) Roy S. Rapoport (Jul 14)
- Re: Microsoft Cries Wolf ( again ) Mark Lowes (Jul 14)