Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RE: Microsoft silently fixes security vulnerabilities

From: "Steve Manzuik" <smanzuik () eeye com>
Date: Fri, 21 Apr 2006 12:07:44 -0700
What if the vendor disclosed in every patch the maximum 
severity level of any vulnerabilities fixed in the patch 
without disclosing specifics?  Would this be a good 
middle-ground solution?


They already do this.  At least MS does this.  We have seen patches that are rated critical but also fix a number of 
medium and low issues.  The point here though, is that most experienced IT Admins do not trust the vendor rating.  I am 
not saying it is right, but it is the way things are.


issue in Foo Corp's MechaFoo.  


MechaFoo.  The first product named that I will buy. :P  


Is this a sufficient solution to simultaneously provide the 
poor IT guy with information for risk assessment purposes 
while not providing excessive information that might hasten 
exploitation?


Based on my experience from being an IT guy, a consultant, and now working for a software vendor.  No, this isn't 
enough information.  As HD said in his other email -- the silently fixed vulnerabilities are the ones pen-testers love 
and are equally loved by attackers.
Previous By Date Next
Previous By Thread Next

Current thread: