[28806] in bugtraq
RE: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577)
daemon@ATHENA.MIT.EDU (John Howie)
Thu Feb 6 12:45:00 2003
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Thu, 6 Feb 2003 08:01:58 -0800
Message-ID: <DAEF28A9E7214B46AE7C7C66861F630807B0AB@STKSRV1.securitytoolkit.com>
From: "John Howie" <JHowie@securitytoolkit.com>
To: <jasonc@science.org>, <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
Jason,
>
> I've proposed to Microsoft that they stop publishing Mitigating
Factors in
> their security bulletins, and now it looks necessary to propose the
same
> in
> a more open forum.
>
I disagree. From a risk perspective you need to know mitigating factors.
To kill the hype that accompanies a newly discovered vulnerability you
need a cool, dispassionate, overview of the problem. Your sample
'aggravating' factor was anything but, and would be more likely to add
to the hype.
I think your decision to ask Microsoft first is a sign of your
prejudice, why not ask the Open Source communities to lead the way? I
can see it now: "WARNING: By using Open Source code anyone can modify
the source, replace your binaries, and completely root your system!"
John Howie CISSP MCSE
President, Security Toolkit LLC
