Full Disclosure mailing list archives
RE: OSS means slower patches
From: "Lauro, John" <jlauro () umflint edu>
Date: Mon, 19 Sep 2005 09:21:05 -0400
Might be, if I could believe the stats... The problem is, that stats are messed up. It claims only 8 critical flaws in IE this year, and a low average time for fixing the flaws. That number may be correct in terms of critical flaws, but some of the critical flaws in IE were found last year (and only recently fixed), it's just that many flaws are not publicly acknowledged by Microsoft until a patch is available... Because of the openness of OSS, it might be that the time between wide-spread public awareness of a hole and patch availability are larger, but that does not mean slower patches in terms of the actual vulnerability as the data reported from IE was clearly flawed. Or maybe the study (to make IE look good) tossed out vulnerabilities found last year, but only fixed this year??? To really determine the difference, you must track back to when the oldest version of the software that could be exploited, instead of when it was "publicly" acknowledged...
-----Original Message----- From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-
bounces () lists grok org uk] On Behalf Of Ivan . Sent: Monday, September 19, 2005 8:03 AM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] OSS means slower patches An interesting perspective?
http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5E nbv%
5E,00.html Symantec Australia managing director David Sykes said the increasing popularity of open source software, such as the Mozilla Foundation's Firefox browser, could be part of the reason for the increase in the gap between vulnerability and patch, with the open source
development
model itself part of the problem. "It is relying on the goodwill and best efforts of many people, and that doesn't have the same
commercial
imperative," he said. "I'm sure that is part of what is causing the blow-out in the patch window." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OSS means slower patches Ivan . (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)
- Re: OSS means slower patches Ivan . (Sep 19)
- Re: OSS means slower patches Roman Drahtmueller (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)
- Re: OSS means slower patches bkfsec (Sep 19)
- Re: OSS means slower patches bkfsec (Sep 19)
- Re: OSS means slower patches security curmudgeon (Sep 19)
- <Possible follow-ups>
- RE: OSS means slower patches Lauro, John (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)