>Microsoft has warned that a patch posted yesterday intended to fix a >security hole in its Outlook Express email program does not fix a related >problem. Once again the case for full disclosure is proven. Given weeks to fix this bug, and they botch it. Meanwhile, within days of a vague public notification a few individuals post procmail filters that effectively shut down the exploit. During the weeks they had to fix this bug, the vendors never bothered to look at the other obvious places to try an overflow, yet within days of the open discussion several readers of bugtraq did. There is more security expertise on this list than any single company has on staff. Posting a bug here often gets a quicker and more complete patch than the vendors provide. Also, people here can look at the problem from many perspectives, where the vendor may have "tunnel vision", seeing only the options they have with their specific product. Additionally, posting a vulnerability in a product from company A may help company B find that they have the same problem. A public notification puts them on equal footing, rather than giving one company longer to fix their product. An open notification will lead to faster release of patches that actually work, and you may not even be asked to [Agree] to several pages of legal crap that says "We don't know if it works, we don't care, use at your own risk, don't ask us, and don't tell anybody." Some vendors remain silent when told about a bug, and hope the person notifying them does too. Others release incomplete or broken patches. It seems the only time we get fast solid patches with good documentation is when it involves a free OS with an open development group. If we leave to the vendors, many would ask that we remain silent until the buggy product becomes obsolete. I have personally seen vendors not notify their customers of remote root bugs for as long as a year after I told them about it. Next time, they get a cc: to the bugtraq post. If they can't stand the light of public scrutiny, maybe they shouldn't be using socket calls that open our machines to the public. ____________________________________________________________________ More than just email--Get your FREE Netscape WebMail account today at http://home.netscape.com/netcenter/mail
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:10:54 PDT