Vulnerability Development mailing list archives
Re: Time-to-patch vs Disclosure method
From: Olaf Kirch <okir () caldera de>
Date: Wed, 17 Oct 2001 23:02:53 +0200
On Wed, Oct 17, 2001 at 01:15:20PM -0400, J. J. Horner wrote:
I think it would be helpful to see some stats showing the length of time to security patch versus the type of disclosure used (full, or otherwise).
I think the really interesting metric is time-to-exploit vs disclosure. The time-to-exploit can be quite low. I particularly remember the uw-imap AUTH bug I reported to Crispin a couple of years ago. There was an announcement to the pine-users mailing list about an unspecified "security fix". The first exploits were available the other day, and the first mass scans were well under way a week or two later. Similar things happened with other Linux/Unix holes (amd, rpc.statd, etc). With most services _knowing_ there's a security hole is enough to motivate people to go find it and write an exploit. What Microsoft is doing right now, though, is divert everyone's attention from the real problem, which is the quality of their product. So whatever one says in response to their claims will probably just add to the smoke and FUD. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
Current thread:
- Time-to-patch vs Disclosure method J. J. Horner (Oct 17)
- Re: Time-to-patch vs Disclosure method Olaf Kirch (Oct 17)
- Re: Time-to-patch vs Disclosure method Blue Boar (Oct 18)
- RE: Time-to-patch vs Disclosure method Dom De Vitto (Oct 19)
- Re: Time-to-patch vs Disclosure method Blue Boar (Oct 18)
- <Possible follow-ups>
- Re: Time-to-patch vs Disclosure method Mark Kennedy (Oct 17)
- Re: Time-to-patch vs Disclosure method terry white (Oct 18)
- Re: Time-to-patch vs Disclosure method Olaf Kirch (Oct 17)