Forwarded from: McDonald Patrick <mcdonald_patrickat_private> I don't have an issue with how long Microsoft took to issue. I have issue with Microsoft not notifying their customers. How many people could have been exploited and never known? Microsoft could have taken their sweet time as long they advise the consumer on how to protect themselves until the patch was loaded. Pat -----Original Message----- From: owner-isnat_private [mailto:owner-isnat_private]On Behalf Of InfoSec News Sent: Thursday, December 27, 2001 11:12 PM To: isnat_private Subject: [ISN] PATCH DELAY? Buffer Overflow in UPnP Service On Microsoft Windows Forwarded from: mrs_aida_capistranoat_private Cc: marcat_private -----BEGIN PGP SIGNED MESSAGE----- Hi there, I posted this to the main security lists today, but no one seems interested. Chris at vulnwatch.org suggest I send it to attrition and I am copying Marc, in case he wishes to verify this chain of events or not. One can never tell if Microsoft is telling the truth or not :-( Dear Ladies and Gentlemen, The following official statement was published in a Microsoft news group on the 26th of December 2001 when many participants queried why it took nearly two months for a patch to be developed to address the Buffer Overflow in UPnP Service On Microsoft Windows http://www.eeye.com/html/Research/Advisories/AD20011220.html http://www.microsoft.com/technet/security/bulletin/MS01-059.asp It does not explain why these defective goods continued to ship for the Christmas sales season but might be of interest to people on these security mailing lists: direct link to news article on the server: news://news.microsoft.com/#qAgniljBHA.2260@tkmsftngp07 <squirt> [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat Dec 29 2001 - 01:12:32 PST