Re: Microsoft says email patch flawed

[zorch () NETSCAPE NET (J Edgar Hoover)]

> Microsoft has warned that a patch posted yesterday intended to fix a
> security hole in its Outlook Express email program does not fix a related
> problem.

Once again the case for full disclosure is proven. Given weeks to fix this
bug, and they botch it. Meanwhile, within days of a vague public notification
a few individuals post procmail filters that effectively shut  down the
exploit.

During the weeks they had to fix this bug, the vendors never bothered to look
at the other obvious places to try an overflow, yet within days of the open
discussion several readers of bugtraq did.

There is more security expertise on this list than any single company has on
staff. Posting a bug here often gets a quicker and more complete patch than
the vendors provide. Also, people here can look at the problem from many
perspectives, where the vendor may have "tunnel vision", seeing only the
options they have with their specific product.

Additionally, posting a vulnerability in a product from company A may help
company B find that they have the same problem. A public notification puts
them on equal footing, rather than giving one company longer to fix their
product.

An open notification will lead to faster release of patches that actually
work, and you may not even be asked to [Agree] to several pages of legal crap
that says "We don't know if it works, we don't care, use at your own risk,
don't ask us, and don't tell anybody."

Some vendors remain silent when told about a bug, and hope the person
notifying them does too. Others release incomplete or broken patches. It seems
the only time we get fast solid patches with good documentation is when it
involves a free OS with an open development group.

If we leave to the vendors, many would ask that we remain silent until the
buggy product becomes obsolete. I have personally seen vendors not notify
their customers of remote root bugs for as long as a year after I told them
about it. Next time, they get a cc: to the bugtraq post.

If they can't stand the light of public scrutiny, maybe they shouldn't be
using socket calls that open our machines to the public.


____________________________________________________________________
More than just email--Get your FREE Netscape WebMail account today at http://home.netscape.com/netcenter/mail