# Friday, July 17, 2009
« New Development Snapshot | Main | IKVM 0.40 Update 1 Release Candidate 1 »
Responsible Disclosure, Irresponsible Patching?

In December 2006 I reported a critical .NET security vulnerability to Microsoft. When I found the the issue it had already been fixed in Vista, but it still took them until July 2007 to release a fix for XP. Seven months, I thought that was pretty bad.

In September 2008 I reported another critical .NET security vulnerability to Microsoft. The fix for this issue was trivial and made it into the subsequent Silverlight 2.0 RTM on October 13th. This week the July patches were released and for the tenth month no security bulletin about this issue.

Wednesday I mailed the Microsoft Security Response Center to ask what the status is. I received no reply.

So I decided to investigate. I quickly discovered that my main (Vista) system was already patched (!). After some digging I found that on XP, Windows Update offers KB951847 which contains a fix.

The KB article makes no mention of any security fixes, nor is there a corresponding security bulletin.

If this is Microsoft's idea of responsible disclosure, then maybe I should also apply my "no Microsoft bug filing" policy to security issues.

Friday, July 17, 2009 10:37:40 AM (W. Europe Daylight Time, UTC+02:00)  #    Comments [4]