| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 06 Jan 2006 14:22:48 +0000 From: Gavin Conway <gavin@...olutions.co.uk> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, bugtraq@...urityfocus.com Subject: Re: what we REALLY learned from WMF Gadi Evron wrote: > What we really learn from this all WMF "thingie", is that when Microsoft > wants to, it can. > > Microsoft released the WMF patch ahead of schedule > ( http://blogs.securiteam.com/index.php/archives/181 ) > > Yep, THEY released the PATCH ahead of schedule. > > What does that teach us? > > There are a few options: > 1. When Microsoft wants to, it can. > > There was obviously pressure with this 0day, still — most damage out > there from vulnerabilities is done AFTER Microsoft releases the patch > and the vulnerability becomes public. > > 2. Microsoft decided to jump through a few QA tests this time, and > release a patch. > > Why should they be releasing BETA patches? > If they do, maybe they should release BETA patches more often, let those > who want to - use them. It can probably also shorten the testing period > considerably. > If this patch is not BETA, but things did just /happen/ to progress more > swiftly.. than maybe we should re-visit option #1 above. > > ... > > Maybe it’s just that we are used to sluggishness. Perhaps it is time we, > as users and clients, started DEMANDING of Microsoft to push things up a > notch. > > ... > > Put in the necessary resources, and release patches within days of first > discovery. I’m willing to live with weeks and months in comparison to > the year+ that we have seen sometimes. Naturally some problems take > longer to fix, but you get my drift. > > It’s just like with false positives… as an industry we are now used to > them. We don’t treat them as bugs, we treat them as an “acceptable level > of”, as I heard Aviram mention a few times. > > ... > > The rest is in my blog entry on the subject: > http://blogs.securiteam.com/index.php/archives/182 > > Gadi. Although I agree with a lot of what you have said I do feel that this is a rather shameless way to start what is undoubtedly to become a 'flame-war' and to pimp your own website. Please try to keep bugtraq on target by posting bug related items. Kind Regards, Gavin COnway -- UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Tel: 08700 681 333 - Fax: 01527 851 301 - AS: 20547 gavin@...olutions.co.uk - www.uksolutions.co.uk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists