Go back and read the original post.
Whether or NOT this is a true vulnerability....
"VENDOR RESPONSE
This issue was reported to Microsoft on Feb 11, 2005, acknowledged by
support, and as of today our best efforts to get a hotfix (or even a
commitment to produce a hotfix at some later date) have been fruitless. "
So let's see email sent 2/10 to secure@microsoft.com [you did contact
secure@ right?] and on 2/23 since you received no patch [13 days for
patch testing...dude...get real] you blasted this to a listserve?
I emailed Sonny on the 23rd asking if he wanted a fast patch that broke
stuff or a tested patch. He's yet to respond to me on that question.
"If" this is a issue, "If" it needs a patch, Sonny didn't even let a
"Patch Tuesday" go by before blasting.
Whether or not you want to cut Microsoft some slack... there's a process
of ethical and responsible disclosure that I would expect Sonny as a
representative of a governmental agency would understand. He not only
put his own government computers at risk but others in this disclosure, yes?
How about cutting us Admins some slack even if you "don't" cut Redmond some?
Susan
Jay D. Dyson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 25 Feb 2005, Paul wrote:
Seriously, people, cut Microsoft some slack. They're doing the best
they can.
Considering that Microsoft is a multi-billion dollar corporation,
I cannot agree that it deserves any slack. If Microsoft can afford to
sell software that leaves its customers at risk, it can afford to
issue hotfixes to remedy the problems that it created. And I don't
buy into the "get the Service Pack" argument after having dealt with
the ridiculously FUBAR'd mess called SP2 for XP that went down last year.
Bottom line: Microsoft customers are paying gourmet prices for
Redmond's products and are getting McDonald's quality for security.
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee"-.
>====<--.
C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) | =
|-'
`--' `--' `-I just started World War III. You're welcome.-' `------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iD8DBQFCILLlBYoRACwSF0cRAmorAJwNfCme2RBnV6rrqGqTjHMH/2friwCeMZjH
OtuTdoBHOvXjZSg0kSOfHKE=
=ENFp
-----END PGP SIGNATURE-----
--
Chapter 4 of The Complete Patch Management Book:
https://www.ecora.com/ecora/jump/pm149.asp
So why is it the only book on NT Event Logging is out of print?
http://tinyurl.com/3kwc2
And if you don't know about www.eventid.net You should!
