> I presume that these are nine of the > "top 10 content providers". Actually, no. Our internal testing covered a limited collection of what we considered the most prevalent enterprise products. When it became clear that the issues were widespread, we brought NISCC in to coordinate passing out a set of canned test tools to all the MIME related vendors they could find (anecdotally, I think this was something like 100+). We obviously have the results of our own testing (which is where the stats come from), but the other vendors have been invited to make their own declaration as to the outcome of the test tools. Needless to say the statements provided so far are somewhat sparse; the only vendor from our original test set to make a statement is F-Secure. > I also note that Microsoft was not listed as a vendor that responded. > Were their products tested and if so what were the results? Yes, they were tested. Yes, they have chosen not to make a public statement. I personally don't know why this may be so. Perhaps you could ask them? ;) The release model for these vulnerabilities has been the best compromise of what is a difficult situation. Releasing as individual advisories (or per-product clumps) was never going to be ideal; both because of the volume and because earlier public releases expose information about products that come later in the process. The solution chosen was to pick a date far-off in the future, to provide the vendors with all the information they needed to replicate the issues, and then to allow them to make their own public statements as to compliance. Effectively the same model as the SNMP issues from a few years ago. History may prove this not to be ideal, and a better model may be needed. Regards, Martin O'Neal
