lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat Jan  7 12:14:18 2006
From: dudevanwinkle at gmail.com (dudevanwinkle@...il.com)
Subject: Re: what we REALLY learned from WMF

Gadi Evron wrote:

>
> I am not criticizing Microsoft over the patch. I am happy.
>
> I am just saying that we as an industry got used to False Positives,
> slow responses, etc. We should demand more and this situation proved
> it is possible.
>
>     Gadi.


Ja, all we have to do is write the patch for them, then we have great
turn around ;-)

Seriously though, I think the fact that someone else duplicated their
patch (file date in the patch of the 28th shows this, as well as the
bindiff) then they had pre-hotfix-release information on what bugs
occured due to the removal of this abortproc wmf "feature" on a very
large customer base (300GB of uploads before the site was taken offline,
thats a _big_ test user base) was what made it possible for MS to
release the patch earlier than promised.

Still though, Gadi is right that this shows if there is enough demand
for an RC1 patch, they may release them.... as long as the exploit can
be googled beforehand and MS doesnt have to worry about ppl RCE'ing the
beta patch and creating an exploit as a result of their program.

a lot of "ifs" but it can happen

-JP

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ