lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun Mar 26 03:39:41 2006
From: n3td3v at gmail.com (n3td3v)
Subject: Industry calls on Microsoft to scrap Patch
	Tuesday for Critical flaws

Sorry to say the n3td3v group involves employees (rogue) who have called for
this. You can ringgle and ranggle your poltical point of users within the MS
not having enough time scale to promote to a certain issue, but thats
complete crap. One reason being the folks within the n3td3v group are
actually people from MS, YAHOO, AOL, etc already. The folks at n3td3v group
are part of the industry already, for you to put your point across mr Valdis
is cool, but the n3td3v group if you hadent realised before is part of a
between the major dot coms.

On 3/26/06, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
>
> On Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:
>
> > You Microsoft must officially agree that all flaws marked as "Critical"
> must
> > have a patch within 7 to 14 days of public disclosure.
>
> OK... Nice try.
>
> Too bad you didn't add a requirement that the patch actually be *correct*.
>
> Also, you're totally overlooking the fact that *sometimes*, fixing a
> problem
> requires some major re-architecting - for instance, if an API has to be
> changed,
> then *every* caller has to be updated, and quite possibly re-designed, and
> the changes have an annoying tendency to ripple outward (if subroutine A
> has a 7th parameter added, then everybody who calls A has to be
> updated.  And
> it's likely that you'll find routines B, C, and D that have no *idea* what
> the
> correct value of the parameter should be, because they don't have access
> to the
> data - so now callers of B, C, and D have to pass another parameter that
> gets
> passed to A).
>
> Any company that will commit to a "must" on this one is nuts.  It's a good
> target, but making it mandatory is just asking companies to ship a
> half-baked
> patch that seems to fix the PoC rather than the underlying design flaw.
>
> And going back and reviewing the patch history on IE is instructive - more
> than
> once, Microsoft has released a patch for a known Javascript flaw, only to
> find
> out within a week that a very slight change would make the exploit work
> again.
>
> Is that *really* what you want?  It's certainly not what *I*
> want.  Waiting
> another 3-4 days past your arbitrary 14-day limit for a *good* patch is
> certainly
> preferable for those of us who actually have to deal with this stuff for a
> living,
> rather than hide out on a Yahoo group.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060326/95989705/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ