lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue Sep 20 01:07:41 2005
From: jlauro at umflint.edu (Lauro, John)
Subject: OSS means slower patches

Might be, if I could believe the stats...  The problem is, that stats
are messed up.   It claims only 8 critical flaws in IE this year, and
a low average time for fixing the flaws.  That number may be correct
in terms of critical flaws, but some of the critical flaws in IE were
found last year (and only recently fixed), it's just that many flaws
are not publicly acknowledged by Microsoft until a patch is
available...  Because of the openness of OSS, it might be that the
time between wide-spread public awareness of a hole and patch
availability are larger, but that does not mean slower patches in
terms of the actual vulnerability as the data reported from IE was
clearly flawed.  Or maybe the study (to make IE look good) tossed out
vulnerabilities found last year, but only fixed this year???  To
really determine the difference, you must track back to when the
oldest version of the software that could be exploited, instead of
when it was "publicly" acknowledged...


> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-
> bounces@...ts.grok.org.uk] On Behalf Of Ivan .
> Sent: Monday, September 19, 2005 8:03 AM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] OSS means slower patches
> 
> An interesting perspective?
> 
>
http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5E
nbv%
> 5E,00.html
> 
> Symantec Australia managing director David Sykes said the increasing
> popularity of open source software, such as the Mozilla Foundation's
> Firefox browser, could be part of the reason for the increase in the
> gap between vulnerability and patch, with the open source
development
> model itself part of the problem. "It is relying on the goodwill and
> best efforts of many people, and that doesn't have the same
commercial
> imperative," he said. "I'm sure that is part of what is causing the
> blow-out in the patch window."
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ