| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43BDB4B5.1060906@pacbell.net> Date: Thu, 05 Jan 2006 16:07:17 -0800 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@...bell.net> To: Gadi Evron <ge@...uxbox.org> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, bugtraq@...urityfocus.com Subject: Re: what we REALLY learned from WMF Don't release a beta patch .... 1. it would get patches into reverse engineering faster [hello look what happened to the leaked patch] and 2. Don't ask for an untested patch if you are not willing to be there in the newsgroups, communities and listserves helping the dead bodies after a bad patch sir. Do you do/handle change management in your firm? Even in my small firm I could not handle the 'any time/any day' that patches used to come out before. Be careful of what you ask for sir...because if you get what you want.... ensure your firm has the resources to test/deploy/change management on a 24 hours a day 7 days a week schedule because exploits can be built in less than 20 minutes. If the security issue has been responsible disclosed, there is a process that is needed to build a patch and test the patch. Some issues take more than 'days' sir. And testing takes time as well, sir. For my community I want tested patches sir, and I will argue until doomsday on that point. Don't hurt my community with a bad patch or a beta patch, sir. Susan SBS community member Gadi Evron wrote: > What we really learn from this all WMF "thingie", is that when > Microsoft wants to, it can. > > Microsoft released the WMF patch ahead of schedule > ( http://blogs.securiteam.com/index.php/archives/181 ) > > Yep, THEY released the PATCH ahead of schedule. > > What does that teach us? > > There are a few options: > 1. When Microsoft wants to, it can. > > There was obviously pressure with this 0day, still — most damage out > there from vulnerabilities is done AFTER Microsoft releases the patch > and the vulnerability becomes public. > > 2. Microsoft decided to jump through a few QA tests this time, and > release a patch. > > Why should they be releasing BETA patches? > If they do, maybe they should release BETA patches more often, let > those who want to - use them. It can probably also shorten the testing > period considerably. > If this patch is not BETA, but things did just /happen/ to progress > more swiftly.. than maybe we should re-visit option #1 above. > > ... > > Maybe it’s just that we are used to sluggishness. Perhaps it is time > we, as users and clients, started DEMANDING of Microsoft to push > things up a notch. > > ... > > Put in the necessary resources, and release patches within days of > first discovery. I’m willing to live with weeks and months in > comparison to the year+ that we have seen sometimes. Naturally some > problems take longer to fix, but you get my drift. > > It’s just like with false positives… as an industry we are now used to > them. We don’t treat them as bugs, we treat them as an “acceptable > level of”, as I heard Aviram mention a few times. > > ... > > The rest is in my blog entry on the subject: > http://blogs.securiteam.com/index.php/archives/182 > > Gadi. > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists