lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <03fd01c61068$532fe9d0$0d00005a@moregarlic.com>
Date: Tue, 3 Jan 2006 08:19:21 -0500
From: "Larry Seltzer" <larry@...ryseltzer.com>
To: "'Gadi Evron'" <gevron@...il.com>
Cc: "'FunSec [List]'" <funsec@...uxbox.org>,
	<bugtraq@...urityfocus.com>
Subject: New from the MS Advisory


*What's Microsoft's response to the availability of third party patches for
the WMF vulnerability?

Microsoft recommends that customers download and deploy the security update
for the WMF vulnerability that we are targeting for release on January 10,
2006.

As a general rule, it is a best practice to utilize security updates for
software vulnerabilities from the original vendor of the software. With
Microsoft software, Microsoft carefully reviews and tests security updates
to ensure that they are of high quality and have been evaluated thoroughly
for application compatibility. In addition, Microsoft's security updates are
offered in 23 languages for all affected versions of the software
simultaneously.

Microsoft cannot provide similar assurance for independent third party
security updates.

* Why is it taking Microsoft so long to issue a security update?

Creating security updates that effectively fix vulnerabilities is an
extensive process. There are many factors that impact the length of time
between the discovery of a vulnerability and the release of a security
update. When a potential vulnerability is reported, designated product
specific security experts investigate the scope and impact of a threat on
the affected product. Once the MSRC knows the extent and the severity of the
vulnerability, they work to develop an update for every supported version
affected. Once the update is built, it must be tested with the different
operating systems and applications it affects, then localized for many
markets and languages across the globe.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ