Bugtraq mailing list archives
Re: NT RPC Hotfix
From: brad.powell () West Sun COM (Brad.Powell)
Date: Fri, 24 Jan 1997 08:14:54 -0800
Aleph One writes:
Microsoft just released a hotfix for the RPC vulnerability: Their quick turn aroudn time leaves to shame Unix vendors that take weeks or months to provided a patch. Oh well.
I useally don't get into these kind of debates :-), but what the hell ;^) Sorry guy, I disagree with your reasoning. To the un-initiated this might be a logical conclusion, but having fought a lot of companies for patches over the years (security as well as bug and panic fixes) I'd have to say that MS probably *knew* about the bug and had a fix waiting for release in the next OS. They probably took the posture of keeping it quiet since there wasn't any "problem". MY OPINION ONLY so don't get mad :-) Many companies take this posture. This is what I tried to change when I started the customer warning system at Sun. Radical notion I know, but at the time I had grandios notions of working honestly and up front with customers (I still believe this). CERT back then was great at tracking and making sure I got patches out for bugs that we *didn't* know about until someone came forward. We pro-actively sent out patches for bugs that we did know about *before* there was a posting. I haven't given up on the system, :-). I do understand that many bugs are in most Unix variants and so each vendor needs to be notified and get their patch ready and CERT doesn't send out a notice until there are patches for -each- system. This practice I don't quite like since there may be a Sun or HP patch available for 2-3 months before a notice goes out the patch waits for all the other vendors to get their fix in and the coordination time takes many CERT cycles and everybody looses (imho) I'd prefer that as soon as all vendors get the notice of a (security) bug that CERT would give them two weeks and then post the notice. If Sun is slow about getting out a fix or HP or IBM or whomever, fine lets let the customers see some competition and I'm willing to accept that the market deside which companies survive and which don't. I also know that when a bug comes out that a workaround can commonly be done in a few hours, and I also know that many persons reporting bugs often already have a fix (sometimes better than the fix we came up with) So to make a long story short (too late) a Fast turn-around doesn't mean "proactive" working with customers. it can mean keeping your mouth shut and not getting the information out until you have to. Again MY opinion. Off the soap-box now (must be this new "shock coffee") Brad.
Current thread:
- NT RPC Hotfix Aleph One (Jan 23)
- Re: NT RPC Hotfix dsiebert () icaen uiowa edu (Jan 23)
- AOL client port and possible security risk. Sami A. Yousif (Jan 23)
- Re: NT RPC Hotfix Darren Reed (Jan 24)
- <Possible follow-ups>
- Re: NT RPC Hotfix Brad.Powell (Jan 24)
- Re: NT RPC Hotfix Yuri Volobuev (Jan 24)
- GNU tar vulnerability Ben Elliston (Jan 24)
- [NTSEC] NT vulnerable to DOS attack on more than just port 135 Bob Beck (Jan 25)