RE: PATCH DELAY? Buffer Overflow in UPnP Service On Microsoft Windows

[InfoSec News <isn () c4i org>]

Forwarded from: McDonald Patrick <mcdonald_patrick () bah com>

I don't have an issue with how long Microsoft took to issue.  I have
issue with Microsoft not notifying their customers.  How many people
could have been exploited and never known?  Microsoft could have taken
their sweet time as long they advise the consumer on how to protect
themselves until the patch was loaded.

Pat

-----Original Message-----
From: owner-isn () attrition org [mailto:owner-isn () attrition org]On Behalf Of
InfoSec News
Sent: Thursday, December 27, 2001 11:12 PM
To: isn () attrition org
Subject: [ISN] PATCH DELAY? Buffer Overflow in UPnP Service On Microsoft
Windows

Forwarded from: mrs_aida_capistrano () hushmail com
Cc: marc () eeye com


-----BEGIN PGP SIGNED MESSAGE-----

Hi there,

I posted this to the main security lists today, but no one seems interested.
Chris at vulnwatch.org suggest I send it to attrition and I am copying Marc,
in case he wishes to verify this chain of events or not. One can never tell
if Microsoft is telling the truth or not :-(



Dear Ladies and Gentlemen,

The following official statement was published in a Microsoft news group on
the 26th of December 2001 when many participants queried why it took nearly
two months for a patch to be developed to address the Buffer Overflow in
UPnP Service On Microsoft Windows

http://www.eeye.com/html/Research/Advisories/AD20011220.html
http://www.microsoft.com/technet/security/bulletin/MS01-059.asp

It does not explain why these defective goods continued to ship for the
Christmas sales season but might be of interest to people on these security
mailing lists:

direct link to news article on the server:

news://news.microsoft.com/#qAgniljBHA.2260@tkmsftngp07

<squirt>


[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.