All I can say is: Amen.

It's not often that I read writing that hits a nail so squarely on the head.

Vendors need to start taking some responsibility for ridiculous disclosure timelines. Two come to mind as the chief offenders in this respect: Microsoft and Oracle.

I've created a page on my web site with information about vulnerabilities I've been asked to keep a lid on, with the very purpose of exposing such practices:

http://student.missouristate.edu/m/matthew007/research/upcom
ing.asp

The two vulnerability reports listed have a combined age of 226 days as I'm writing this comment. Another vulnerability that I disclosed publicly (CVE-2005-3240) is 200+ days from its original report and won't be officially fixed for at least another year.

The other damning fact is that Windows 2000 won't receive a patch -- meaning that supported code will remain vulnerable until support for Windows 2000 expires in 2010!

This isn't an isolated incidence either -- Microsoft received a report of a remotely-exploitable vulnerability in Visual Studio in July 2002, which remains only partially patched today. Research by myself and others has illustrated that trivially-exploitable applications are in fact, still reachable on the internet (in spite of being fully updated) as we near four years later.

That... is a disgrace, and a denial of the facts: people know about vulnerabilities before they're disclosed. Otherwise, security research would not exist.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/391/33272#33272