| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <EKECJMGPAACGOMIGLJJDMEJFDPAA.geoincidents@getinfo.org> From: geoincidents at getinfo.org (Geo.) Subject: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption >>Resolution of vulnerabilities is not the same thing as technical detail _disclosure_ of details about the vulnerability.<< Ok they are not the same but it is the _details_ that are important, we aren't taking about point and click PoC code, we are talking about details of the flaw. This is a library function, so how do you know what else it might affect or if other libraries on other OS may have the same (remember POD?) sort of issues? >>But full detail bulletins should lag the initial release of the patch by some number of weeks/months.<< But then nobody else who has a similar product or uses the same library but maybe not the specific function can tell if their product also requires an update, so you want to set them back by a number of weeks/months? You are assuming that a vulnerability affects only one vendor but by doing so you may be slowing down the release of patches for other products can also be affected. >>As far as Eeye having a stockpile of Microsoft vulnerabilities and I would assume lab code that can exersize them, doesn't bother me as much<< If you were in competition with Microsoft on some Windows product, would Microsoft constantly having multiple backdoors to any of your systems worry you? Geo.
Powered by blists - more mailing lists