Re: IBM report reviews Internet crime

[Owen DeLong <owen () delong com>]

On Feb 12, 2008, at 11:46 AM, Florian Weimer wrote:

> * Owen DeLong:
>
> > If the vulnerability cannot be corrected through a vendor patch,  
> > then,
> > one has to wonder what, exactly the vulnerability is.
>
> You assume that a vendor patches a vulnerability once they learn about
> it.  In my experience, this is not true.  Sometimes it's easy to  
> explain
> (product or vendor ceased to exist), sometimes it's not (some cross- 
> site
> scripting issues I'm trying to straighten out; minor bugs to you
> perhaps, but huge media exposure because of their visibility and
> reproducibility--think FDIV bug).

No, I presume that a vulnerability identified as "cannot be resolved  
through
vendor patch" means a vulnerability for which, even if a vendor patch  
were
available, it would not resolve the vulnerability.  A vulnerability  
for which
a patch is not yet available, but, which could be resolved if the vendor
released a patch is a vulnerability which "CAN be resolved through
vendor patch when one becomes available."

It is unclear from the text provided which of our conflicting  
definitions for
the term applies in IBM's text.

Owen