|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: State of the hot fix (was: RE: Reporting Security Issues to Micro soft)
From: Carl Friedberg (friedberg
EXS.ESB.COM)Date: Fri Jun 09 2000 - 03:24:36 CDT
- Next message: Stegman, Thomas: "Re: Has anyone seen this is the wild?"
- Previous message: Rustin Ross: "Has anyone seen this is the wild?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Paul, David, and any other Microsoft lurkers:
What Microsoft might do to improve the situation:
(1) Publicize this e-mail address very well, and frequently
securemicrosoft.com
(2) Publicize an integrated (i.e. centralized) list of security hot-fixes,
by product, by Q-number, by name (e.g., Remote Registry Access fix) and
date, and by priority (mandatory, very important, good idea, only if you are
C2, blah, blah). Stashing some information on a security page, other on a
technet page, other on a "windows" page, etc., is not helpful.
(3) Provide easy to use, freely distributable tools to audit every single MS
software product for known security problems (hot-fix required (see priority
above) but not applied). While a variant of these tools might be web-based,
versions should be made available which can run behind firewalls, etc.
(4) Provide standardized (across MS product lines) version numbering, with a
clear tie-in to applied security (and other) hot-fixes
(5) Make all hot-fixes cumulative, like service packs, when the priority is
mandatory. Just think how many versions of tcpip.sys, for instance, are
floating around. Do you know which one should be on your systems?
(6) Release updated master software frequently: NT4 with SP6a; IE501; o2k
sr1; oe2k; outlook2k; sql 7/2k; etc., etc. Each of these should have a clear
label on the cd rom showing the release date and the cumulative service
pack/hotfix level. Make any such updated media available free of charge
(come on, MS, shipping charges for a CDrom in an envelope, should be
miniscule).
(7) Now that the commerce/state/defense departments have eased export
restrictions, maybe you can issue separate high and standard encrypted
version, CLEARLY IDENTIFIED. I'm sure you would agree the encryption level
is a major security issue for every Microsoft customer. I suspect that not
every windows 2000 advanced server customer knows that the product, as
shipped, is always low encryption, no matter where or how purchased.
I'm sure all of you could add many more helpful items to this list.
The situation now is that Microsoft has emitted 40 security hot fixes in the
first 160 days of 2000, way ahead of the record year 1999. Microsoft have
not, regretably, provided a consistent naming convention; nor a consistent
methodology for locating and applying patches across the Microsoft product
line. Microsoft have also eliminated (at least the reference to) the much
easier to use (IMHO) ftp site.
My personal opinion is that Microsoft has behaved badly by not taking a much
more proactive stance in making security fixes easy and consistent for the
system and/or security administrator. We need all the help we can get.
Carl Friedberg, carlcomets.com
-----Original Message-----
From: Microsoft Security Response Center
[mailto:secure%MICROSOFT.COMfwd.com]
Sent: Thursday, June 08, 2000 5:46 PM
To: win2ksecadvice
Subject: Reporting Security Issues to Microsoft
-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
Seems like there's been a recent increase in the number of postings
whose theme is "I reported this to Microsoft but never heard anything
back". In each case, we've checked our records but, in most cases,
found no record of the issue having been sent to the Security Response
Center. We answer every email, and track every report we receive, so
we believe that the reports in question may have been sent to other
email addresses at Microsoft.
While most folks at Microsoft know to forward reports of potential
security vulnerabilities to us, the best way to ensure that the right
people are on the case is to send the report directly to us here at
the Security Response Center by emailing to securemicrosoft.com.
There's specific information at
http://www.microsoft.com/technet/security/contact.asp, discussing what
kinds of issues we can help with. Look forward to talking with you.
Regards,
Securemicrosoft.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
iQEVAwUBOUAUL40ZSRQxA/UrAQFLnggAqYFXSsYyY3U2s14OSH7DxV1i2xYYaqk+
VyZo+cruzBjBl94XCusoyaWOaJRPBdhiUhiTrfavinZeiqzVBDk7ubDxh0H4IiSX
OC+TQs6i69YJ0LUOhnj75snGdFM7nyh939cQCwVDQL70/0yRiiLKw+dwbqGdall2
80BBQlc/brZ7WCT0epNJUkrSqeg5CeW6r1tmWvrFXHO3Ybj+lVFUlK7QyJyGfPlt
DrIHkr+pZ2PjuZ02V16bsibQiEes1fR27ss0aU89chWl5zeuBBuIvs96eT57HxHw
wm+wKnL+AWULgeVKjRDBvgLkvIknJqccH2Y/5ZogWTrIdOj2MtyNgw==
=cNBU
-----END PGP SIGNATURE-----
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Stegman, Thomas: "Re: Has anyone seen this is the wild?"
- Previous message: Rustin Ross: "Has anyone seen this is the wild?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]