Hacker News new | past | comments | ask | show | jobs | submit login

Perhaps the pressure could have been applied privately. Like researcher gaining access to achieved milestones. As long as Microsoft's progress would have been reasonable, no release.

This issue is very time consuming to fix and very easy to exploit, and it affects a large number of people, directly and indirectly. A full system compromise from unprivileged process or sandbox.

Even if you don't personally use Windows, this might for example be used to compromise your data processed somewhere else.

I completely agree there needs to be very strong pressure on the vendors, and 90 day response is a very effective tool at that. But there should be some kind of alternative way to apply pressure on the vendor in cases that take a long time to fix and cause devastating collateral damage.

Any script kiddie can now start to use this in hours or days.




> Perhaps the pressure could have been applied privately. Like researcher gaining access to achieved milestones. As long as Microsoft's progress would have been reasonable, no release.

Perhaps you should read the thread describing the communication with Microsoft. It sounds to me like the issue was not just the complexity of the bug, but a failure of organization/communication on Microsoft's part.

https://bugs.chromium.org/p/project-zero/issues/detail?id=18...


Yeah, that doesn't look good for Microsoft. I thought they've already learned their lesson, but maybe they need to have a periodic embarrassment for that.


I believe taviso is familiar with Microsoft applying pressure privately.





Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: