Microsoft is the one big company screaming loudest of all over "responsible disclosure".
They want an infinite amount to time to release their patches before those who found the problem are allowed to publish (but they can publish the second after Microsoft released the patch, all is fine for Microsoft (well, for their customer it's a bit of a different matter of course). Of course attackers couldn't care less about disclosure, and even some vulnerability researchers don't care for the credit line that Microsoft offers, nor the brand " irresponsible " it might earn them.
Still a policy typically cuts both ways: you need to obey the rules yourself just as well as all the others.
So let's have a look at MS09-017:
We all know from past experience the reverse engineering of patches back into exploits starts at the time -if not before- the patches are released. Typically it takes between hours and a day or so to complete this if it's easy to exploit (actually the new Microsoft rating of exploitability points out they are pretty easy).
So in the end Microsoft just released what hackers need to attack:
So what do you think of Microsoft and their "responsible" behavior in releasing MS09-017 as it was done?
May 12th 2009
1 decade ago