Re: [ISN] Microsoft upgrades IE flaw to critical after criticism

From: InfoSec News (isnat_private)
Date: Wed Dec 11 2002 - 00:25:18 PST

  • Next message: InfoSec News: "[ISN] REVIEW: "CISSP for Dummies", Lawrence Miller/Peter Gregory"

    Forwarded from: joergat_private-sb.de
    
    Allow me to comment a little bit on this one:
    
    > http://www.nwfusion.com/news/2002/1209msflaw.html
    > 
    > By Joris Evers
    > IDG News Service
    > 12/09/02
    > 
    > Microsoft raised the risk rating on a security flaw in Internet
    > Explorer (IE) to "critical" after criticism prompted it to reexamine
    > the issue, the company said Friday.
    
    The company did hardly get 'prompted to reexamine the issue'. It got
    told directly that it is wrong, on the edge of lying. In the words of
    Thor Larholm on Bugtraq,
    
    
    http://online.securityfocus.com/archive/1/302174/2002-11-30/2002-12-06/0
    
    "It seems like Microsoft are deliberately downplaying the severity of
    their vulnerabilities in an attempt to gain less bad press. It sure
    would look bad to release 2 critical cumulative updates in just 2
    weeks, but that is exactly what has been done. As it stands now, the
    bulletin is released and most journalists willing to comment have
    already noticed the "Moderate" label and the extensive list of
    (incorrect) mitigating factors, and quite likely will not write
    anything on just how severe this really is. I doubt most people care
    to read the revisions to the bulletin that will come later."
    
    
    It is possible that the article by nwfusion references another MS
    Security bulletin, as MS chose to change the Severity Rating of some
    bulletins lately. I lost track of IE patches some years ago, I am
    afraid.
    
    Trustworthy Bulletin Initiative might be the next step MS wants to take...
    
    Regards,
    
    Joerg
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 02:32:42 PST