Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws

From: n3td3v <n3td3v () gmail com>
Date: Sun, 26 Mar 2006 03:39:32 +0100
Sorry to say the n3td3v group involves employees (rogue) who have called for
this. You can ringgle and ranggle your poltical point of users within the MS
not having enough time scale to promote to a certain issue, but thats
complete crap. One reason being the folks within the n3td3v group are
actually people from MS, YAHOO, AOL, etc already. The folks at n3td3v group
are part of the industry already, for you to put your point across mr Valdis
is cool, but the n3td3v group if you hadent realised before is part of a
between the major dot coms.

On 3/26/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:


On Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:


You Microsoft must officially agree that all flaws marked as "Critical"

must

have a patch within 7 to 14 days of public disclosure.


OK... Nice try.

Too bad you didn't add a requirement that the patch actually be *correct*.

Also, you're totally overlooking the fact that *sometimes*, fixing a
problem
requires some major re-architecting - for instance, if an API has to be
changed,
then *every* caller has to be updated, and quite possibly re-designed, and
the changes have an annoying tendency to ripple outward (if subroutine A
has a 7th parameter added, then everybody who calls A has to be
updated.  And
it's likely that you'll find routines B, C, and D that have no *idea* what
the
correct value of the parameter should be, because they don't have access
to the
data - so now callers of B, C, and D have to pass another parameter that
gets
passed to A).

Any company that will commit to a "must" on this one is nuts.  It's a good
target, but making it mandatory is just asking companies to ship a
half-baked
patch that seems to fix the PoC rather than the underlying design flaw.

And going back and reviewing the patch history on IE is instructive - more
than
once, Microsoft has released a patch for a known Javascript flaw, only to
find
out within a week that a very slight change would make the exploit work
again.

Is that *really* what you want?  It's certainly not what *I*
want.  Waiting
another 3-4 days past your arbitrary 14-day limit for a *good* patch is
certainly
preferable for those of us who actually have to deal with this stuff for a
living,
rather than hide out on a Yahoo group.





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: