RE: Microsoft upgrades IE flaw to critical after criticism

[InfoSec News <isn () c4i org>]

Forwarded from: "Kuypers, Jimmy" <myemailaccount () fastmail fm>

CMIIW, but didn't microsoft anounce to downplay alot of it's security
warnings to less then "critical" because of the many critical patches
real end-users could no longer distinquish wich patches are truely
critical (imo all are ofcourse) and then the end-users wouldn't
download any of them... This was also called the "boy who cried wolf"
effect....

Leme see, yes a quote :
"The Redmond-based software giant also plans to limit the "critical"
rating on security alerts to customers because of fears that too many
high-level alerts were being issued. Instead of issuing a "critical"
rating on vulnerability warnings, Microsoft has modified its Severity
Rating Criteria to specify clearly which bugs needed to be addressed
immediately.

"There is also a widespread feeling that the Severity Ratings are
difficult to understand and apply. For these reasons, we have modified
(the criteria) to help customers more easily evaluate the impact of
security issues," Lipner explained. So far this year, almost half of
Microsoft's 64 vulnerability alerts were tagged with the 'critical'
rating and security experts have warned about a potential "cry wolf"
situation if too many insignificant patches came with the
highest-level rating. "

I got this from http://www.internetnews.com/dev-news/article.php/1503241 but
I first got wind of it via this article
http://www.tweakers.net/nieuws/24378/?highlight=critical+%2B+microsoft+%2B+p
atch (some of it in Dutch)

Conclusion:
So we can expect less "critical" patches from MS now. Just keep in
mind that this doesn't mean there are less bugs or security problems
with the MS software. Eventho MS re-upgraded the severity level of
this patch due to negative feedback, this won't get them to step of
their new policy of downplaying security warnings.

Greatings,
Jimmy



-----Original Message-----
From: InfoSec News [mailto:isn () c4i org]
Sent: woensdag 11 december 2002 9:25
To: isn () attrition org
Subject: Re: [ISN] Microsoft upgrades IE flaw to critical after
criticism


Forwarded from: joerg () fs is uni-sb de

Allow me to comment a little bit on this one:

> http://www.nwfusion.com/news/2002/1209msflaw.html
>
> By Joris Evers
> IDG News Service
> 12/09/02
>
> Microsoft raised the risk rating on a security flaw in Internet
> Explorer (IE) to "critical" after criticism prompted it to reexamine
> the issue, the company said Friday.

The company did hardly get 'prompted to reexamine the issue'. It got
told directly that it is wrong, on the edge of lying. In the words of
Thor Larholm on Bugtraq,


http://online.securityfocus.com/archive/1/302174/2002-11-30/2002-12-06/0

"It seems like Microsoft are deliberately downplaying the severity of
their vulnerabilities in an attempt to gain less bad press. It sure
would look bad to release 2 critical cumulative updates in just 2
weeks, but that is exactly what has been done. As it stands now, the
bulletin is released and most journalists willing to comment have
already noticed the "Moderate" label and the extensive list of
(incorrect) mitigating factors, and quite likely will not write
anything on just how severe this really is. I doubt most people care
to read the revisions to the bulletin that will come later."


It is possible that the article by nwfusion references another MS
Security bulletin, as MS chose to change the Severity Rating of some
bulletins lately. I lost track of IE patches some years ago, I am
afraid.

Trustworthy Bulletin Initiative might be the next step MS wants to take...

Regards,

Joerg



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.