lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060105223500.GB20863@damaged.no-ip.com>
Date: Thu, 5 Jan 2006 17:35:00 -0500
From: Damaged Industries <damaged@...aged.no-ip.com>
To: bugtraq@...urityfocus.com
Subject: Re: New from the MS Advisory


Windows Automatic Update now has the patch for this, live.

On Tue, Jan 03, 2006 at 08:19:21AM -0500, Larry Seltzer wrote:
> *What's Microsoft's response to the availability of third party patches for
> the WMF vulnerability?
> 
> Microsoft recommends that customers download and deploy the security update
> for the WMF vulnerability that we are targeting for release on January 10,
> 2006.
> 
> As a general rule, it is a best practice to utilize security updates for
> software vulnerabilities from the original vendor of the software. With
> Microsoft software, Microsoft carefully reviews and tests security updates
> to ensure that they are of high quality and have been evaluated thoroughly
> for application compatibility. In addition, Microsoft's security updates are
> offered in 23 languages for all affected versions of the software
> simultaneously.
> 
> Microsoft cannot provide similar assurance for independent third party
> security updates.
> 
> * Why is it taking Microsoft so long to issue a security update?
> 
> Creating security updates that effectively fix vulnerabilities is an
> extensive process. There are many factors that impact the length of time
> between the discovery of a vulnerability and the release of a security
> update. When a potential vulnerability is reported, designated product
> specific security experts investigate the scope and impact of a threat on
> the affected product. Once the MSRC knows the extent and the severity of the
> vulnerability, they work to develop an update for every supported version
> affected. Once the update is built, it must be tested with the different
> operating systems and applications it affects, then localized for many
> markets and languages across the globe.
> 

-- 
I'll pretend to trust you if you'll pretend to trust me.

                    Damaged Industries                     
          .-.  damaged at damaged.no-ip.com   .-.          
         /   \       .-.     _     .-.       /   \         
\-------/-----\-----/---\---/-\---/---\-----/-----\-------/
 \     /       \   /     `-'   `-'     \   /       \     / 
  \   /         `-'  KeyID: 0x19F8B6A2  `-'         \   /
   `-'       http://damaged.no-ip.com/pub.asc        `-' 
     35F1 BB56 DF58 F7D6 CFAF 3ED5 F306 F170 19F8 B6A2


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ