| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43BE7D38.7030507@uksolutions.co.uk> Date: Fri Jan 6 15:00:41 2006 From: gavin at uksolutions.co.uk (Gavin Conway) Subject: Re: what we REALLY learned from WMF Gadi Evron wrote: > What we really learn from this all WMF "thingie", is that when Microsoft > wants to, it can. > > Microsoft released the WMF patch ahead of schedule > ( http://blogs.securiteam.com/index.php/archives/181 ) > > Yep, THEY released the PATCH ahead of schedule. > > What does that teach us? > > There are a few options: > 1. When Microsoft wants to, it can. > > There was obviously pressure with this 0day, still ? most damage out > there from vulnerabilities is done AFTER Microsoft releases the patch > and the vulnerability becomes public. > > 2. Microsoft decided to jump through a few QA tests this time, and > release a patch. > > Why should they be releasing BETA patches? > If they do, maybe they should release BETA patches more often, let those > who want to - use them. It can probably also shorten the testing period > considerably. > If this patch is not BETA, but things did just /happen/ to progress more > swiftly.. than maybe we should re-visit option #1 above. > > ... > > Maybe it?s just that we are used to sluggishness. Perhaps it is time we, > as users and clients, started DEMANDING of Microsoft to push things up a > notch. > > ... > > Put in the necessary resources, and release patches within days of first > discovery. I?m willing to live with weeks and months in comparison to > the year+ that we have seen sometimes. Naturally some problems take > longer to fix, but you get my drift. > > It?s just like with false positives? as an industry we are now used to > them. We don?t treat them as bugs, we treat them as an ?acceptable level > of?, as I heard Aviram mention a few times. > > ... > > The rest is in my blog entry on the subject: > http://blogs.securiteam.com/index.php/archives/182 > > Gadi. Although I agree with a lot of what you have said I do feel that this is a rather shameless way to start what is undoubtedly to become a 'flame-war' and to pimp your own website. Please try to keep bugtraq on target by posting bug related items. Kind Regards, Gavin COnway -- UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Tel: 08700 681 333 - Fax: 01527 851 301 - AS: 20547 gavin@...olutions.co.uk - www.uksolutions.co.uk
Powered by blists - more mailing lists