Re: Administrivia: No More Microsoft Bulletins

Date view Thread view Subject view Author view

From: cdale@silly.techmonkeys.net
Date: Fri Dec 08 2000 - 10:58:29 PST


I'm on the other side of that fence, but I think most of us have heard
both sides of it. (:
C

On Fri, 8 Dec 2000, David Adams wrote:

> On Fri, 8 Dec 2000 cdale@silly.techmonkeys.net wrote:
>
> RE No more MS security bulletins:
> > This is pretty interesting. I understand this is not the first group of
> > people they've done this toward. The idea confuses me: Keep people from
> > helping you keep your customers' software updated for security reasons?
> > Ho well. (:
>
> I think a good argument can be made that this was a good move, designed to
> enhance knowledge and security. And since Russ on NT-BugTraq made it, I
> won't try to outdo him:
>
> -----------------------------------------------------------------
> Russ <Russ.Cooper@rc.on.ca> wrote:
>
> FWIW, I applaud the change by Microsoft and I feel its detractors have
> missed some important reasons the change was likely made.
>
> 1. Security Bulletins often change. A quick look at my hotfix pages for
> IIS 4.0 or IIS 5.0 (http://ntbugtraq.ntadvice.com/iis4fixes.asp or
> http://ntbugtraq.ntadvice.com/iis5fixes.asp) clearly show the number of
> changes a bulletin might have. When the bulletins are fully available by
> email, such changes cannot be made to them. Its very easy to have
> conflicting information about the scope of a vulnerability depending on
> which email version of the bulletin you're looking at. Keeping the
> information in a single place, i.e. the web site, means that the
> information will always be as up-to-date as MS has released to the public.
>
> 2. If you're one of those Administrators who tries to get important fix
> information to you ASAP, say by having such messages forwarded to your
> pager, such lengthy messages are often more of a bane than a benefit.
> Knowing that a new bulletin has been released is the important
> information, reading its contents, comprehending it, and obtaining the fix
> are best done via a browser rather than email.
>
> 3. Email versions of Security Bulletins are frequently held in non-MS web
> archives for a very long time. Unfortunately its very rare that those web
> archives are updated to reflect new information that may have come to
> light. An example might by the RDS issue, first sent out over 2.5 years
> ago but updated and commented on (at the MS site) frequently since then.
> If someone were reading the first advisory they might not appreciate the
> full effect of the issue.
>
> -----------------------------------------------------------------
>
> Microsoft has a mailing list for security bulletins. With the change,
> they just send a one-sentence description of the problem and a URL.
> BugTraq and NTBugtraq are good lists for discussing problems, but any
> administrator who is signed up for either of these lists should also be on
> MS's notify list.
>
> enjoy
>
> -dave
> http://stuffeddog.com
>
>

-- 
 "A civilized society is one which tolerates eccentricity to the point of doubtful sanity."
          -- Robert Frost


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Fri Dec 08 2000 - 11:04:12 PST