Bugtraq mailing list archives

Re: NT RPC Hotfix

From: brad.powell () West Sun COM (Brad.Powell)
Date: Fri, 24 Jan 1997 08:14:54 -0800


Aleph One writes:

  Microsoft just released a hotfix for the RPC vulnerability:
 Their quick turn aroudn time leaves to shame Unix vendors that take
weeks or months to provided a patch. Oh well.


I useally don't get into these kind of debates :-), but what the hell ;^)

Sorry guy, I disagree with your reasoning. To the un-initiated this might
be a logical conclusion, but having fought a lot of companies for patches
over the years (security as well as bug and panic fixes) I'd have to say
that MS probably *knew* about the bug and had a fix waiting for release
in the next OS. They probably took the posture of keeping it quiet since
there wasn't any "problem".
MY OPINION ONLY so don't get mad :-)

Many companies take this posture. This is what I tried to change when I
started the customer warning system at Sun. Radical notion I know, but
at the time I had grandios notions of working honestly and up front with
customers (I still believe this). CERT back then was great at tracking and
making sure I got patches out for bugs that we *didn't* know about until
someone came forward. We pro-actively sent out patches for bugs that we did
know about *before* there was a posting.

I haven't given up on the system, :-). I do understand that many bugs
are in most Unix variants and so each vendor needs to be notified and
get their patch ready and CERT doesn't send out a notice until there are
patches for -each- system. This practice I don't quite like since there
may be a Sun or HP patch available for 2-3 months before a notice goes out
the patch waits for all the other vendors to get their fix in and the coordination
time takes many CERT cycles and everybody looses (imho)

I'd prefer that as soon as all vendors get the notice of a (security) bug
that CERT would give them two weeks and then post the notice. If Sun is
slow about getting out a fix or HP or IBM or whomever, fine lets let the
customers see some competition and I'm willing to accept that the market
deside which companies survive and which don't. I also know that when a
bug comes out that a workaround can commonly be done in a few hours, and I
also know that many persons reporting bugs often already have a fix (sometimes
better than the fix we came up with)

So to make a long story short (too late) a Fast turn-around doesn't mean
"proactive" working with customers. it can mean keeping your mouth shut
and not getting the information out until you have to.

Again MY opinion.

Off the soap-box now (must be this new "shock coffee")


Brad.

Current thread:

NT RPC Hotfix Aleph One (Jan 23)
- Re: NT RPC Hotfix dsiebert () icaen uiowa edu (Jan 23)
- AOL client port and possible security risk. Sami A. Yousif (Jan 23)
- Re: NT RPC Hotfix Darren Reed (Jan 24)
- <Possible follow-ups>
- Re: NT RPC Hotfix Brad.Powell (Jan 24)
  - Re: NT RPC Hotfix Yuri Volobuev (Jan 24)
  - GNU tar vulnerability Ben Elliston (Jan 24)
  - [NTSEC] NT vulnerable to DOS attack on more than just port 135 Bob Beck (Jan 25)