From: David Adams (dave@stuffeddog.com)
Date: Fri Dec 08 2000 - 06:35:29 PST
On Fri, 8 Dec 2000 cdale@silly.techmonkeys.net wrote:
RE No more MS security bulletins:
> This is pretty interesting. I understand this is not the first group of
> people they've done this toward. The idea confuses me: Keep people from
> helping you keep your customers' software updated for security reasons?
> Ho well. (:
I think a good argument can be made that this was a good move, designed to
enhance knowledge and security. And since Russ on NT-BugTraq made it, I
won't try to outdo him:
-----------------------------------------------------------------
Russ <Russ.Cooper@rc.on.ca> wrote:
FWIW, I applaud the change by Microsoft and I feel its detractors have
missed some important reasons the change was likely made.
1. Security Bulletins often change. A quick look at my hotfix pages for
IIS 4.0 or IIS 5.0 (http://ntbugtraq.ntadvice.com/iis4fixes.asp or
http://ntbugtraq.ntadvice.com/iis5fixes.asp) clearly show the number of
changes a bulletin might have. When the bulletins are fully available by
email, such changes cannot be made to them. Its very easy to have
conflicting information about the scope of a vulnerability depending on
which email version of the bulletin you're looking at. Keeping the
information in a single place, i.e. the web site, means that the
information will always be as up-to-date as MS has released to the public.
2. If you're one of those Administrators who tries to get important fix
information to you ASAP, say by having such messages forwarded to your
pager, such lengthy messages are often more of a bane than a benefit.
Knowing that a new bulletin has been released is the important
information, reading its contents, comprehending it, and obtaining the fix
are best done via a browser rather than email.
3. Email versions of Security Bulletins are frequently held in non-MS web
archives for a very long time. Unfortunately its very rare that those web
archives are updated to reflect new information that may have come to
light. An example might by the RDS issue, first sent out over 2.5 years
ago but updated and commented on (at the MS site) frequently since then.
If someone were reading the first advisory they might not appreciate the
full effect of the issue.
-----------------------------------------------------------------
Microsoft has a mailing list for security bulletins. With the change,
they just send a one-sentence description of the problem and a URL.
BugTraq and NTBugtraq are good lists for discussing problems, but any
administrator who is signed up for either of these lists should also be on
MS's notify list.
enjoy
-dave
http://stuffeddog.com
This archive was generated by hypermail 2b29 : Fri Dec 08 2000 - 07:02:08 PST