On Thu, 08 May 2003 18:57:04 +1000, Steven Evans said: > Please, can you wait until microsoft fixes your 'vulnerabilities' before you > post.
Well.. it's interesting.. Vulnerability number 2 (password reset) was apparently closed down within an hour once it hit full-disclosure. Mind you, that's after the guys at Microsoft had been given 3 weeks - and it's been admitted that the hole was there at least since Sept 2002, even though it shouldn't have passed a code review (and they DID tell the FTC they'd tighten up security, and "change a password" would seem to be where you'd START auditing your code, right? ;) Probably why they're facing a potential $2.2 trillion in fines. ;) http://www.washingtonpost.com/wp-dyn/articles/A30330-2003May8.html In any case, Muhammed Faisal Rauf Danka posted vulnerability number 2: > From: Muhammad Faisal Rauf Danka <[EMAIL PROTECTED]> > Date: Wed, 07 May 2003 19:50:51 -0700 (PDT) (22:50 EDT) It hit the mainstream no more than 5 hours later (and the problem functions disabled already): > From: Michael J McCafferty <[EMAIL PROTECTED]> > Date: Thu, 08 May 2003 00:52:32 -0700 (03:52 EDT) > > Well, there ya go it's hit the mainstream press.... > http://news.com.com/2100-1002_3-1000429.html?tag=lh > > The story mentions that MS has turned off all password reset functionality > by now. So finally, Qazi posts.. > Date: Thu, 08 May 2003 11:36:37 +0500 > From: Qazi Ahmed <[EMAIL PROTECTED]> > Subject: [Full-Disclosure] Multiple Vulnerabilities found in Microsoft .Net > Passport Services After adjusting for timezones, this is only 15 minutes before McCafferty posted that *everybody* knew - and I doubt that Microsoft turned it off, news.com found out it was disabled and got a web page up saying that, and then McCafferty posted here that news.com had the page, all in 15 minutes. So I'm not at all sure what you're complaining about regarding the timing.
pgp00000.pgp
Description: PGP signature
