Re: How to Report a Security Vulnerability to Microsoft

[Steve Friedl <steve () unixwiz net>]

On Wed, Apr 13, 2005 at 10:54:34AM -0400, bkfsec wrote:
> It doesn't matter how much honey is poured into people's ears (or smoke 
> blown up their asses, if you will), it's the proof that's in the pudding 
> that counts, and the pudding is sour.

Even if you decide, for the sake of discussion, that Microsoft sucks,
there is still a good reason to work with MSFT on disclosure: the users.

I did a survey of various enterprises from 20 to 200,000 seats, and I
found a high correlation to "size of enterprise" and "how long it takes
to patch". Larger enterprises are usually characterized by *more* clueful
staff, but they have such wide-ranging issues - many line-of-business
applications, for instance - that they simply cannot patch overnight.

I was told "in an emergency, we can get everybody patched in 10 days"
by a manager of 200k seats. Otherwise it takes weeks to test and roll
out the patches. Some huge enterprises can patch faster, but it's not
the norm. These folks need all the time they can get.

All the Microsoft folks I've met get really prickly when it's said that
it takes too long to patch, and even though I know about the astonishing
amount of testing required, I happen to think it *does* take too long.

But unfortunately, I don't think there is much of a way to punish/light
a fire under Microsoft without *hurting the users*, so in this respect
it's like economic sanctions against Cuba: it's annoying for Castro,
but hurts the people much worse.

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve () unixwiz net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/