Hi Everyone (This can also be an open letter to Microsoft)
Recently I have see a blog post of Microsoft's security team! What i have found disturbs me even more then when we find these 0days! This is what they write! I'm sure one question in people's minds is how we're able to release an update for this issue so quickly. I mentioned on Friday<http://blogs.technet.com/msrc/archive/2007/03/30/update-on-microsoft-security-advisory-935423.aspx#Vulnerability>that this issue was first brought to us in late December 2006 and we've been working on our investigation and a security update since then. This update was previously scheduled for release as part of the April monthly release on April 10, 2007. Are you telling me that this hole was around for just about 4 months and they did nothing about it? I am not wondering why it took them so long to come out with this patch not why they are putting out so early! Also when they were told about this vulnerability they should of fixed it right away as we have seen with the OpenBSD ICMP IP 6 hole! Core security told them about it LESS THEN A WEEK LATER THERE WAS A PATCH. So we ask why? Why does it take so long to put out a patch? Due to the increased risk to customers from these latest attacks, we were able to expedite our testing to ensure an update is ready for broad distribution sooner than April 10. Really? Then Please explain this paragraph *Disclaimer: * The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Links: http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx http://www.microsoft.com/technet/security/advisory/935423.mspx I can go on and on but you all get the point! James -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/