| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 07 Jan 2006 02:20:53 -0800 From: "dudevanwinkle@...il.com" <dudevanwinkle@...il.com> To: Gadi Evron <ge@...uxbox.org> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Re: what we REALLY learned from WMF Gadi Evron wrote: > > I am not criticizing Microsoft over the patch. I am happy. > > I am just saying that we as an industry got used to False Positives, > slow responses, etc. We should demand more and this situation proved > it is possible. > > Gadi. Ja, all we have to do is write the patch for them, then we have great turn around ;-) Seriously though, I think the fact that someone else duplicated their patch (file date in the patch of the 28th shows this, as well as the bindiff) then they had pre-hotfix-release information on what bugs occured due to the removal of this abortproc wmf "feature" on a very large customer base (300GB of uploads before the site was taken offline, thats a _big_ test user base) was what made it possible for MS to release the patch earlier than promised. Still though, Gadi is right that this shows if there is enough demand for an RC1 patch, they may release them.... as long as the exploit can be googled beforehand and MS doesnt have to worry about ppl RCE'ing the beta patch and creating an exploit as a result of their program. a lot of "ifs" but it can happen -JP _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists