Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> 2020-12-03 Microsoft advises that due to issues identified in testing, the fix will now slip to January 2021.

> 2020-12-08 Meeting between MSRC and Project Zero leadership to determine details and discuss next steps. The 14-day grace period is unavailable as Microsoft do not plan to patch this issue before Jan 6 (next patch Tuesday is Jan 12).

> 2020-12-23 90 day deadline exceeded - derestricting issue.

Ouch. With xmas in the middle the grace period, I could see how this can be considered too strict on P0's part. Then, again, the initial bad fix surely harmed whatever trust there was between the parties.



It's being actively exploited, so frankly a 14 day grace is the best MS can hope for


Any grace period for actively exploited bugs is irresponsible. Stuff that the bad guys use needs to be public asap.


> The only difference between CVE-2020-0986 is that for CVE-2020-0986 the attacker sent a pointer and now the attacker sends an offset.

CVE-2020-0986 had been discovered in the wild in May. Microsoft claimed to have fixed it, so this was logged as a separate CVE, even though it's essentially the same bug (the fix can be trivially circumvented) and P0 has given it a new 90 day period, which has now ran out.

I wouldn't call it too strict, they had much more than 90 days to fix it properly.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: