In my humble opinion, he could have waited a couple more days just in case Microsoft decided to do the unprecedented. In which case, I progressive change of policies at Microsoft are better than a couple of users getting hacked from pron sites...
Cheers. On Thu, Jun 10, 2010 at 8:20 PM, Benjamin Franz <jfr...@freerun.com> wrote: > On 06/10/2010 09:26 AM, Susan Bradley wrote: > > You commented that Microsoft needs to address a communication > > problem. It's irrelevant to the full disclosure issue in my mind. > > > > I'd honestly like to know if there is a break down in communication at > > the MSRC that needs to be addressed. It appears there is one? > > > > No. He didn't. What he said was: "Those of you with large support > contracts are encouraged to tell your support representatives that you > would like to see Microsoft invest in developing processes for faster > responses to external security reports." That sounds like he is > suggesting that companies put pressure on Microsoft to invest more > resources in external security reports to me. > > Microsoft has historically been exceedingly slow to address any reported > vulnerabilities *except when people light a fire under them by > publishing exploits*. Anything less typically takes months to years to > fix. Even publicly shaming Microsoft isn't always enough. There are > known, serious, published vulnerabilities that Microsoft didn't fix for > *years*. I personally found and publicized one of them in 1998 - which > *8 years later* was still not fixed > <URL:http://en.wikipedia.org/wiki/Cross-site_cooking> > > It isn't about *communication*, it's about Microsoft treating external > reports seriously and *taking action in a timely way - even if they > don't have an 'exploit in hand'*. > > Tavis indicated he suspects that the 'black hats' already know about > this particular exploit (IOW he thinks it is a '0-day' exploit already > loose in the wild). > > So who, exactly, would be protected by his *NOT* publishing it? End > users? They are probably already being exploited by it. > > -- > Benjamin Franz > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/