| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3a166c090603251839m45892df0wa0d8abff0b51480e@mail.gmail.com> Date: Sun Mar 26 03:39:41 2006 From: n3td3v at gmail.com (n3td3v) Subject: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws Sorry to say the n3td3v group involves employees (rogue) who have called for this. You can ringgle and ranggle your poltical point of users within the MS not having enough time scale to promote to a certain issue, but thats complete crap. One reason being the folks within the n3td3v group are actually people from MS, YAHOO, AOL, etc already. The folks at n3td3v group are part of the industry already, for you to put your point across mr Valdis is cool, but the n3td3v group if you hadent realised before is part of a between the major dot coms. On 3/26/06, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote: > > On Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said: > > > You Microsoft must officially agree that all flaws marked as "Critical" > must > > have a patch within 7 to 14 days of public disclosure. > > OK... Nice try. > > Too bad you didn't add a requirement that the patch actually be *correct*. > > Also, you're totally overlooking the fact that *sometimes*, fixing a > problem > requires some major re-architecting - for instance, if an API has to be > changed, > then *every* caller has to be updated, and quite possibly re-designed, and > the changes have an annoying tendency to ripple outward (if subroutine A > has a 7th parameter added, then everybody who calls A has to be > updated. And > it's likely that you'll find routines B, C, and D that have no *idea* what > the > correct value of the parameter should be, because they don't have access > to the > data - so now callers of B, C, and D have to pass another parameter that > gets > passed to A). > > Any company that will commit to a "must" on this one is nuts. It's a good > target, but making it mandatory is just asking companies to ship a > half-baked > patch that seems to fix the PoC rather than the underlying design flaw. > > And going back and reviewing the patch history on IE is instructive - more > than > once, Microsoft has released a patch for a known Javascript flaw, only to > find > out within a week that a very slight change would make the exploit work > again. > > Is that *really* what you want? It's certainly not what *I* > want. Waiting > another 3-4 days past your arbitrary 14-day limit for a *good* patch is > certainly > preferable for those of us who actually have to deal with this stuff for a > living, > rather than hide out on a Yahoo group. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060326/95989705/attachment.html
Powered by blists - more mailing lists