blaming the reporter

Story: MS plays down impact of unpatched SQL Server flawTotal Replies: 4
Author Content
tuxchick

Dec 24, 2008
3:54 PM EDT 		This landed in my email inbox:

Quoting: Merry Christmas and Happy Holidays to everyone.

Dan Chmielewski

Madison Alexander PR

This is an example of irresponsible disclosure. The person that found that issue took the proper steps to report it to Microsoft, however, they grew impatient with Microsoft and decided to release exploit code before Microsoft announced a patch. This so-called security researcher has therefore placed thousands of servers and potentially untold number of person's privately identifiable information at risk for purposes of their own popularity.

That being said, the recent zero day Internet Explorer bug has highlighted the large number of web sites vulnerable to SQL injection which are now vulnerable to more serious attacks using this zero day SQL flaw. In other words, what was 'bad' has now become 'worse'.


Aww, irresponsible disclosure! How rude. The responsible thing to do is give them as many years as they need to issue patches.

Quoting: It's not a new flaw but the same bug in the database software that emerged around the time of Microsoft's monthly Patch Tuesday update earlier this month.


Giggle.
Steven_Rosenber

Dec 24, 2008
4:26 PM EDT 		Yeah, let's keep all this stuff under the rug so it doesn't have to get fixed!!
bigg

Dec 24, 2008
4:29 PM EDT 		How irresponsible. If it hadn't been reported, only the bad guys would have known about it. It's not a problem that an exploit exists and is being used, it's only a problem that the users found out about it.

The standard Linux user response is to say that the guy with a Windows install disk in his hand is the irresponsible one.
Scott_Ruecker

Dec 24, 2008
4:57 PM EDT 		This speaks directly to the issue of using proprietary software. Its not cool to to just "let the cat out of the bag" when discovering a security issue or issues. Why? Because then their customers might form the opinion that maybe their software isn't as good or as secure as they were told it was. Which when dealing with proprietary software the only "reliable" information the customer can get is from the vendor because no one else but them know what is really going on. You are told over and over that they are the experts and you should trust them because they only have your best interests at heart..

But as we all know, that information is piecemealed out and slanted so as not to give the impression that their software might be broken or not as good as they say it is. Then the customers perception of the value of that software might change for the worse, and that could cost the company a lot of money in bad press, lost revenue and a lowered stock price.

You can't just have people knowing about undiscovered security holes, wide open back doors and long standing unfixed bugs. That is just bad business, I mean bad for the business.
gus3

Dec 24, 2008
10:13 PM EDT 		And to pile on bad after bad, proprietary software makes it impossible to inspect the patches before applying them. One may only apply it, test it for known regressions (including the stated fix), and then hope for the best as it's deployed throughout the organization.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!