Dailydave mailing list archives
RE: RE: Microsoft silently fixes security vulnerabilities
From: "Steve Manzuik" <smanzuik () eeye com>
Date: Fri, 21 Apr 2006 12:07:44 -0700
What if the vendor disclosed in every patch the maximum severity level of any vulnerabilities fixed in the patch without disclosing specifics? Would this be a good middle-ground solution?
They already do this. At least MS does this. We have seen patches that are rated critical but also fix a number of medium and low issues. The point here though, is that most experienced IT Admins do not trust the vendor rating. I am not saying it is right, but it is the way things are.
issue in Foo Corp's MechaFoo.
MechaFoo. The first product named that I will buy. :P
Is this a sufficient solution to simultaneously provide the poor IT guy with information for risk assessment purposes while not providing excessive information that might hasten exploitation?
Based on my experience from being an IT guy, a consultant, and now working for a software vendor. No, this isn't enough information. As HD said in his other email -- the silently fixed vulnerabilities are the ones pen-testers love and are equally loved by attackers.
Current thread:
- RE: Microsoft silently fixes security vulnerabilities, (continued)
- RE: Microsoft silently fixes security vulnerabilities Ari Takanen (Apr 19)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Nick DeBaggis (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 24)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- RE: Microsoft silently fixes security vulnerabilities Ari Takanen (Apr 19)
- Re: RE: Microsoft silently fixes security vulnerabilities Bryan Burns (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Pusscat (Apr 21)