[16062] in bugtraq
Re: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047))
daemon@ATHENA.MIT.EDU (Ryan Fox)
Wed Aug 2 16:05:25 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <006101bffca0$2ccd9260$32611cd8@noguska.com>
Date: Wed, 2 Aug 2000 12:39:06 -0400
Reply-To: Ryan Fox <rfox@NOGUSKA.COM>
From: Ryan Fox <rfox@NOGUSKA.COM>
X-To: Microsoft Security Response Center <secure@MICROSOFT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
What erks me about this e-mail.....
1. The vendor knew versions of their software were vulnerable, but
intentionally failed to list them in their disclosure. An example situation
where these platforms are susceptable (large win9x only workgroup) has
already been posted to the list, and the vendor does not feel it is worth it
to patch. Let's call this one vendor's perogative and move on.
2. The vendor's patch, by their own admission in the last e-mail, breaks
some "normal, by-design management functions" in the NetBIOS protocol. They
also called the patch unsuitable for rollout over the entire network.
Nowhere in the initial disclosure was any mention of this. I, for one,
would feel much more comfortable applying a patch if I knew exactly what it
did. Open source arguments aside, perhaps vendors should make a practice of
creating detailed TID's for released patches, documenting what changes in
the system will occur upon application.
Ryan Fox
Noguska
rfox@noguska.com
