Re: Microsoft Vulnerabilities ARE being reported to Microsoft
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 12/23/04
- Previous message: ISNYC: "RE: Microsoft Vulnerabilities ARE being reported to Microsoft"
- In reply to: ISNYC: "RE: Microsoft Vulnerabilities ARE being reported to Microsoft"
- Next in thread: Steven Hay: "RE: Microsoft Vulnerabilities ARE being reported to Microsoft"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Dec 2004 07:35:24 -0800 To: ISNYC <admin@infosecnyc.com>
Ever heard the expressed a bad/rushed patch can cause boxes to die?
Do you ever come out to web forums, newsgroups and what not and see the
impact of blaster, sasser, code red, etc? Help clean up after those messes?
For those eEye reported items... how do you know they are not working on
patches for those items? Patch testing takes TIME. Especially Internet
Explorer ones. I test patches before I roll them out and then look for
the "dead bodies" in the newsgroups when patches cause issues.
How about instead of "helping" Microsoft, how about you come on over to
patchmanagement.org listserver or the webforums and communities I hang
around and help patch and maintain networks, home systems, clean out
malware. You are adding more work for us to do out here. How about
helping Microsoft a little less... and helping computer users a little more?
All I'm saying is how about working with Microsoft...and give time for a
patch to be built on behalf of the folks that have no admin, no
knowledge, no clue to take alternative actions. My space is only aware
of windows update and if they are in the newsgroups, they might see my
posts about anything extra to get.
If you don't get communication back from them, ping me...they sure
respond to me on the secure@ alias when I forward stuff that I see on
listserves to them so I know there's someone checking that email.
Just my two cents.
ISNYC wrote:
>Ohh. So you're the type to keep things in the closet.
>
>Well.. I disagree.
>
>He/Paul is complaining that MS is not responding to his bug reports.
>(typical)
>
>He/We are not attacking MS.
>
>Were trying to help them, but they don't not want to help themselves. There
>is countless 0days for MS that have been reported, without a patch. (cough
>** eeye ** cough)
>
>
>So whats worse, you tell me?
>
>1. Keep the bug in the closet, let a blackhat self discover it and exploit
>it, And spread it in the private 0day world, and just let blackhats hack
>away at the bug. Compromising thousands, possible millions of pcs/server.
>
>Or
>
>2. Report the bug to the software vendor, then expose the bug on a full
>disclosure list for everyone to read and see. Make it public. Then
>users/admins can decide how to protect themselves and the compaines they
>work for.
>
>
>Ever hear the expression .. What you cant see Can Hurt you.
>
>
>Take Care-
>
>
>
>
>-----Original Message-----
>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>[mailto:sbradcpa@pacbell.net]
>Sent: Wednesday, December 22, 2004 4:26 PM
>To: ISNYC
>Cc: 'Paul'
>Subject: Re: Microsoft Vulnerabilities ARE being reported to Microsoft
>
>
>Let's not folks.
>
>Do you folks have any idea of what impact you have on the world when you
>guys pull stuff like this? Forget hurting Microsoft... you hurt my
>communities down here.
>
>ISNYC wrote:
>
>
>
>>paul//
>>
>>Do you really care what MS thinks?
>>My way of going around things....
>>
>>1. Find the bug
>>2. Inform the software maker
>>3. Release the bug/vulnerability and a proof of concept(POC/exploit) to
>>a full disclosure list.
>>
>>Paul... If you can compromise SP2, lets see it. Release a POC.
>>
>>Take it from there.
>>
>>Happy Holidays Everyone-
>>
>>
>>
>>-----Original Message-----
>>From: Paul [mailto:paul@greyhats.cjb.net]
>>Sent: Monday, December 20, 2004 10:29 PM
>>To: focus-ms@securityfocus.com
>>Subject: Microsoft Vulnerabilities ARE being reported to Microsoft
>>
>>
>>
>>
>>If you came here looking for a vulnerability, you will be dissapointed,
>>because this is simply a message. Contrary to popular opinion, I do
>>disclose my vulnerabilities to Microsoft before release. They do not
>>resond to any of my emails so I assumed they either 1) didn't care, or
>>2) were taking considerable action to patch these vulnerabilities. The
>>Microsoft statement that I do not disclose the vulnerabilities to them
>>is untrue and is probably just an attempt by Microsoft to make me look
>>bad because of their own incompetence. I will continue to work towards
>>a secure operating system because that is what we security
>>professionals strive to accomplish.
>>
>>PS: Microsoft, I have found a way to compromise SP2 by writing a file
>>to anywhere on the victim's computer without user interaction. As
>>always, I will email you with the details of the vulnerability.
>>
>>-----------------------------------------------------------------------
>>----
>>-----------------------------------------------------------------------
>>----
>>
>>
>>-----------------------------------------------------------------------
>>----
>>-----------------------------------------------------------------------
>>----
>>
>>
>>
>>
>>
>>
>
>
>
-- An open letter to the Security Community:: http://msmvps.com/bradley/archive/2004/12/12/23540.aspx --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: ISNYC: "RE: Microsoft Vulnerabilities ARE being reported to Microsoft"
- In reply to: ISNYC: "RE: Microsoft Vulnerabilities ARE being reported to Microsoft"
- Next in thread: Steven Hay: "RE: Microsoft Vulnerabilities ARE being reported to Microsoft"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
