It’s 5am, I haven’t slept. A critical ASP.NET security update is being issued out-of-band today. Immediately, I sprung into “what the hell, Microsoft?” mode, given our government (US-CERT) indicated Microsoft was contacted about this back on November 1. (And the fact I have to worry about ChevronWP7 Labs on Azure and our product at work.) I went as far as to complain on Twitter, my channel of choice. But a few Microsoft folks pinged me, forcing me to do some fact checking.
Yep. I should’ve known not to blindly trust what was on US-CERT, sigh.
Upon inspection of the actual disclosure one area jumped out at me:
2011/11/01 Coordinated notification to PHP, Oracle, Python, Ruby, Google
2011/11/29 Coordinated notification to Microsoft via CERT
I couldn’t find a shred of evidence to suggest this flaw was being exploited by malicious actors or that the information was discovered by other folks – possible reasons that would have explained such a disclosure. This appears to just be a classic case of dirtbagery.
Here’s how the adults handle this, take notes guys: