Administrivia #31082: New NTBugtraq MS Security Bulletin Format

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 10/21/03

  • Next message: Johnson, Allen L.: "Problem with MS03-023 and IE6 SP1 install" 
    Date:         Tue, 21 Oct 2003 12:21:39 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Folks,

    This is a heads up that I will be re-sending the MS Security Bulletins
    from October 15th, 2003, in order to properly test out my notification
    system and for you to see the modified format based on your feedback.
    Sorry in advance for those that get them straight to their pagers.

    I received a lot of feedback regarding my new format for NTBugtraq MS
    Security Bulletin notifications. I was asked to add "Maximum Severity
    Rating", Microsoft's rating of the highest criticality of any
    vulnerability covered by the bulletin. I left it out because I usually
    don't agree with it. I provide my rating of severity for the public in
    Shavlik's HFNetchk Pro. TruSecure Corporation customers can get my full
    analysis of every patch from their Analysts.

    I also decided to add "Impact", which Microsoft use to denote the type
    of exploit made possible by a vulnerability.

    Several people suggested I use URL representation sites to provide the
    download links in a shorter form. I implemented something on the
    NTBugtraq site which allows me to do this. I take the GUID from the
    download link and wrap it with NTBugtraq site info and place a redirect
    file on the site representing that URL. If you click on the download
    link in the NTBugtraq message, it will take you through to the MS
    download page.

    The above only applies to new Microsoft Security Bulletins made on or
    after October 15th, 2003. It does not apply to Security Bulletins which
    were created before that date, regardless of whether they are modified
    in the future.

    I have also implemented per-revision notification. I will now send a
    message to the list with every revision MS makes to bulletins, including
    the reason they state for the revision. I do not track whether MS has
    modified a binary without putting a revision on the bulletin, so if that
    happens you won't be notified.

    By default, everyone who subscribes to NTBugtraq receives all messages
    sent to the list. You can, however, select to receive or not receive
    specific message types. Currently, there are 3 types of messages, Alert,
    MajorRev, MinorRev and Other. If you only want to receive initial
    notifications of all MS Security Bulletins, and no revisions, then send
    an email to Listserv@listserv.ntbugtraq.com with the following in the
    message body;

    set NTBugtraq topics +Alert -MajorRev -MinorRev +Other

    You don't need a subject line. If you prefer to receive only
    notifications of Security Bulletin revisions which end in a "0", then
    send this command;

    set NTBugtraq topics +Alert +MajorRev -MinorRev +Other

    If you don't want any MS Security Bulletin stuff I send, then send this
    command;

    set NTBugtraq topics -Alert -MajorRev -MinorRev +Other

    And if you just want them all, do nothing. A full listing of what you
    can do with your subscription is available by sending the command;

    info refcard

    Its important to note that Revision notifications will come in 2
    different formats. The old format for Security Bulletins created before
    October 15th, 2003, and the new format for Security Bulletins on or
    after that date.

    Finally, there was some confusion about the Microsoft Security Bulletin
    Notification mailing list. Many people thought they had not received any
    notification regarding the bulletins published on October 15th, 2003. In
    fact, MS did send out notifications, in the form of product summaries.
    Two messages were sent out, one summarizing OS patches, the other
    summarizing Exchange patches. Unfortunately they both went out with the
    same subject line. This entire set of patches and summaries were done by
    hand this time around, hence the mistakes. They are in the process of
    automating and hopefully the mistakes that happened this time won't
    occur again.

    Cheers,
    Russ - NTBugtraq Editor

    -----
    Marcus Ranum's new book "The Myth of Homeland Security" is now out and
    is available from http://www.amazon.com/ranum In this hard-hitting
    review of the homeland security business, Ranum shows us how the problem
    is vastly harder than it's being made to sound, and how special
    interests, *** covering, and bureaucracy are threatening to derail any
    chance of making progress.
    -----

  • Next message: Johnson, Allen L.: "Problem with MS03-023 and IE6 SP1 install"
    • Quantcast