Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly



In my humble opinion, he could have waited a couple more days just in case
Microsoft decided to do the unprecedented.
In which case, I progressive change of policies at Microsoft are better than
a couple of users getting hacked from pron sites...

Cheers.

On Thu, Jun 10, 2010 at 8:20 PM, Benjamin Franz <jfranz@xxxxxxxxxxx> wrote:

On 06/10/2010 09:26 AM, Susan Bradley wrote:
You commented that Microsoft needs to address a communication
problem. It's irrelevant to the full disclosure issue in my mind.

I'd honestly like to know if there is a break down in communication at
the MSRC that needs to be addressed. It appears there is one?


No. He didn't. What he said was: "Those of you with large support
contracts are encouraged to tell your support representatives that you
would like to see Microsoft invest in developing processes for faster
responses to external security reports." That sounds like he is
suggesting that companies put pressure on Microsoft to invest more
resources in external security reports to me.

Microsoft has historically been exceedingly slow to address any reported
vulnerabilities *except when people light a fire under them by
publishing exploits*. Anything less typically takes months to years to
fix. Even publicly shaming Microsoft isn't always enough. There are
known, serious, published vulnerabilities that Microsoft didn't fix for
*years*. I personally found and publicized one of them in 1998 - which
*8 years later* was still not fixed
<URL:http://en.wikipedia.org/wiki/Cross-site_cooking>

It isn't about *communication*, it's about Microsoft treating external
reports seriously and *taking action in a timely way - even if they
don't have an 'exploit in hand'*.

Tavis indicated he suspects that the 'black hats' already know about
this particular exploit (IOW he thinks it is a '0-day' exploit already
loose in the wild).

So who, exactly, would be protected by his *NOT* publishing it? End
users? They are probably already being exploited by it.

--
Benjamin Franz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrect
    ... I'd honestly like to know if there is a break down in communication at ... would like to see Microsoft invest in developing processes for faster ... resources in external security reports to me. ... So who, exactly, would be protected by his *NOT* publishing it? ...
    (Full-Disclosure)
  • Re: Is there an update download for Microsoft Publishing 2001?
    ... Publishing 2001 is not an Office program, it is one of the Microsoft ... | When I looked tried to install (per the critical download for Windows ... I am trying to update Windows XP with a critical update ...
    (microsoft.public.officeupdate)
  • Re: What to do with a vulerability?
    ... are treated disrespectfully by Microsoft. ... > exploited to it's full potential (I know ElKern uses this hook, sort of). ... > slew of nastier trojans and worms than the current generation. ... > publishing to the good guys and the bad guys at the same time. ...
    (Vuln-Dev)
  • Re: HTML or Plain Text
    ... I run across fresh News about "HTML". ... Microsoft IE 6 users beware - ... Security company Secunia has issued a warning to Internet Explorer 6 users about three critical vulnerabilities that ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: [Full-disclosure] We must work harder on cloud, says Microsoft
    ... Microsoft, Amazon, Google, or someone else comes up with a remote ... [Full-disclosure] We must work harder on cloud, ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)