[thelist] New Critical Security Patch for Windows....

Ken Schaefer ken at adOpenStatic.com
Wed Feb 11 18:37:51 CST 2004


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Eveline" <e.vanhemel at pandora.be>
Subject: Re: [thelist] New Critical Security Patch for Windows....


: I don't know if you have heard, but Microsoft already knew about
: this issue, 6 months ago.... The security company which discovered the
: problem, had to promise Microsoft not to go public with this
: until they had a solution.....
:
: Nice practises, isn't it......
:
: Greetings,
:
: Eveline
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

That's the accepted way the whitehat community works. No one has to promise
anything. The reputable companies/hackers will present the exploit to the
vendor, then wait between 7-14 days for a response (so the vendor can verify
the claims). The vendor then has a reasonable time to come up with a
solution, upon which the discoverer is free to release their advisory.
Depending on the complexity of the patch, it may be some time before an
acceptable solution has been programmed. When a patch takes an extended
amount of time to produce the discoverer is kept "in the loop" so that they
are aware of progress on the issue.

This has nothing to do with Microsoft making anyone promise anything. Read
any of the advisories posted on Bugtraq and you'll see the timeline included
in the advisory.

Cheers
Ken



More information about the thelist mailing list