| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun Mar 26 12:37:13 2006 From: ad at heapoverflow.com (ad@...poverflow.com) Subject: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 well for me n3td3v and probably a lot here , you are in the junk settings because I think most FD list is really pissed off your international kiddie attitude... n3td3v wrote: > Sorry to say the n3td3v group involves employees (rogue) who have > called for this. You can ringgle and ranggle your poltical point of > users within the MS not having enough time scale to promote to a > certain issue, but thats complete crap. One reason being the folks > within the n3td3v group are actually people from MS, YAHOO, AOL, etc > already. The folks at n3td3v group are part of the industry already, > for you to put your point across mr Valdis is cool, but the n3td3v > group if you hadent realised before is part of a between the major > dot coms. > > On 3/26/06, *Valdis.Kletnieks@...edu > <mailto:Valdis.Kletnieks@...edu>* <Valdis.Kletnieks@...edu > <mailto:Valdis.Kletnieks@...edu>> wrote: > > On Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said: > > > You Microsoft must officially agree that all flaws marked as > "Critical" must > > have a patch within 7 to 14 days of public disclosure. > > OK... Nice try. > > Too bad you didn't add a requirement that the patch actually be > *correct*. > > Also, you're totally overlooking the fact that *sometimes*, > fixing a problem > requires some major re-architecting - for instance, if an API > has to be changed, > then *every* caller has to be updated, and quite possibly > re-designed, and > the changes have an annoying tendency to ripple outward (if > subroutine A > has a 7th parameter added, then everybody who calls A has to be > updated. And > it's likely that you'll find routines B, C, and D that have no > *idea* what the > correct value of the parameter should be, because they don't > have access to the > data - so now callers of B, C, and D have to pass another > parameter that gets > passed to A). > > Any company that will commit to a "must" on this one is > nuts. It's a good > target, but making it mandatory is just asking companies to ship > a half-baked > patch that seems to fix the PoC rather than the underlying > design flaw. > > And going back and reviewing the patch history on IE is > instructive - more than > once, Microsoft has released a patch for a known Javascript > flaw, only to find > out within a week that a very slight change would make the > exploit work again. > > Is that *really* what you want? It's certainly not what *I* > want. Waiting > another 3-4 days past your arbitrary 14-day limit for a *good* > patch is certainly > preferable for those of us who actually have to deal with this > stuff for a living, > rather than hide out on a Yahoo group. > > > > > > ---------------------------------------------------------------------- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (MingW32) iD8DBQFEJnzeFJS99fNfR+YRArtZAKCVWIGekBeIyCSPIBC4M6ouQrNQzgCaAoJt NV62LR4xtgZ6BnT/dozX0vU= =W52r -----END PGP SIGNATURE-----
Powered by blists - more mailing lists