Actually, it is pretty standard practice for a vendor to NOT put out a bug
notification until they are sure they have a good fix. This happened with
one of the bugs I found in HP-UX. HP didn't put a notice out until they had
a patch available.
I have observed that vendors, HP included, tend to take a rather defensive
approach to dealing with bugs in their software. Unfortunately this is
counter productive when you are trying to get a serious security flaw
patched.
In general I think Microsoft does a pretty good job of getting patches out
but they have missed the boat on serveral occassions and this is certainly
one of them.
> How many freakin' days does it take to provide even a temporary workaround
> (which eEye provided themselves) that, for example, limits the URL length
> to 255 chars? MS has the source--just add in this check, release the
> temporary fix, continue working on the permanent fix--saving hundreds of
> thousands of servers from being exploited in the meantime.
>
> Oh, food for thought: If MS is now so security conscious, why does their
> *web server* _still_ run as SYSTEM... This is security 101 and I give
> them an F. The flaw in IIS would have not been as devastating (run any
> code you want _as SYSTEM_ on the remote host...)
>
> -Jason
>
> AT&T Wireless Services
> IT Security
> UNIX Security Operations Specialist
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
