RE: Hotmail & Passport (.NET Accounts) Vulnerability

["nate" <fulldisclosure () aphroland org>]

David Vincent said:

> ...why?  is this a fame thing or are you worried that ppl aren't getting
> credit for the vulns they discover and therefore don't have the
> intellectual property over said vulns?

I coulda swore I read somewhere(maybe it was just an opinion), perhaps
sometime last year, MS started trying to crack down more on disclosures,
wanting people to "co-operate" more(even if it meant waiting 2-3-4
months for them to come up with a fix), and would only give "credit"
to those parties that "co-operated" with them in that manor. which
is their right, I don't care either way(I don't use their products
anyways).

I've noticed at least some of the MS-related security reports seemed
to have rather large gaps of time between notification and announcement
of available fixes(weeks, months ..).

I personally would prefer a more full disclosure stance from vendors
(even open source ones) at least announcing that there is a severe
problem with app X, and the vendor advises restricting access to it
or shutting it down. e.g. the SSH root exploit last year there was a
big uproar about it, my linux distribution(debian), was forced to
release new versions of the package when infact the version of SSH
that shipped with the product WAS NOT VULNERABLE(the affected features
did not exist in that version of OpenSSH). The security folk didn't
have the information they needed to determine what the problem was.

On a similar note, a couple years ago there was a buncha advisories
that came out for various ftp servers with regards to "globbing"
(the ls */*/*/* bug), debian's port of the openbsd-ftp server
remained vulnerable for probably nearly a year without so much as
a peep out of the security team. I emailed them several times and
conversed directly with a couple debian developers, at least they
could of issued an advisory NOT to use that particular package until
a fix was available(there are many alternative ftp servers afterall),
but there was silence. Their response to me was the problem was
in glibc and they were working on a fix for glibc which would fix
it, but there was some sort of holdup for the fix. Though I would
much rather know a package is vulnerable even if it may not be
fixed for 3-4 months so I can stop using it, or at least severely
restrict access to the port and monitor it much closer then otherwise
would be spent monitoring it.

Even if it means updating a security advisory several times, I'd love
to see a system that notified immediately upon discovery, and then
tracked the status of the fix until it is made available(at least for
patches that would take longer then 24 hours to release). Anyone
know if MS has ever gotten a patch out in less then 24 hours from
notification? I remember reading Samba's response to their most
recent troubles I think Jermey Allison(sp?) said they had fixes
to the bugs within 2 hours of being notified or something like that
though they waited 48-72 hours to give their vendors time to prepare
"packaged" fixes before making a formal announcement.


nate



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html