Full Disclosure mailing list archives
RE: what we REALLY learned from WMF
From: "Adrian Marsden" <amarsden () jvsdet org>
Date: Thu, 5 Jan 2006 19:06:47 -0500
This is a silly post.... What are you trying to prove? That in some cases a company can test a patch quicker than in others? MS understood the issue, promised a fix on their scheduled date and did better than expected.... So you criticise them.... Way to go.... Make it so they can never win.... then they won't bother... and we all know who suffers then.... -----Original Message----- From: Gadi Evron [mailto:ge () linuxbox org] Sent: Thu 1/5/2006 4:53 PM To: bugtraq () securityfocus com Cc: full-disclosure () lists grok org uk Subject: what we REALLY learned from WMF What we really learn from this all WMF "thingie", is that when Microsoft wants to, it can. Microsoft released the WMF patch ahead of schedule ( http://blogs.securiteam.com/index.php/archives/181 ) Yep, THEY released the PATCH ahead of schedule. What does that teach us? There are a few options: 1. When Microsoft wants to, it can. There was obviously pressure with this 0day, still — most damage out there from vulnerabilities is done AFTER Microsoft releases the patch and the vulnerability becomes public. 2. Microsoft decided to jump through a few QA tests this time, and release a patch. Why should they be releasing BETA patches? If they do, maybe they should release BETA patches more often, let those who want to - use them. It can probably also shorten the testing period considerably. If this patch is not BETA, but things did just /happen/ to progress more swiftly.. than maybe we should re-visit option #1 above. ... Maybe it’s just that we are used to sluggishness. Perhaps it is time we, as users and clients, started DEMANDING of Microsoft to push things up a notch. ... Put in the necessary resources, and release patches within days of first discovery. I’m willing to live with weeks and months in comparison to the year+ that we have seen sometimes. Naturally some problems take longer to fix, but you get my drift. It’s just like with false positives… as an industry we are now used to them. We don’t treat them as bugs, we treat them as an “acceptable level of”, as I heard Aviram mention a few times. ... The rest is in my blog entry on the subject: http://blogs.securiteam.com/index.php/archives/182 Gadi. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: what we REALLY learned from WMF, (continued)
- Re: what we REALLY learned from WMF Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Jan 05)
- Re: Re: what we REALLY learned from WMF Devdas Bhagat (Jan 06)
- Re: what we REALLY learned from WMF Dave Korn (Jan 06)
- RE: what we REALLY learned from WMF Donald N Kenepp (Jan 05)
- Re: what we REALLY learned from WMF Florian Weimer (Jan 06)
- Re: what we REALLY learned from WMF Gavin Conway (Jan 06)
- Re: Re: what we REALLY learned from WMF Michael Holstein (Jan 06)
- Re: what we REALLY learned from WMF Matt . Carpenter (Jan 06)
- Re: Re: what we REALLY learned from WMF Morning Wood (Jan 06)
- Re: Re: what we REALLY learned from WMF wac (Jan 12)
- RE: what we REALLY learned from WMF Adrian Marsden (Jan 05)
- Re: what we REALLY learned from WMF Gadi Evron (Jan 05)
- RE: what we REALLY learned from WMF Adrian Marsden (Jan 06)
- Re: what we REALLY learned from WMF Gadi Evron (Jan 06)
- Re: Re: what we REALLY learned from WMF c0ntex (Jan 06)
- Re: Re: what we REALLY learned from WMF dudevanwinkle () gmail com (Jan 07)
- Re: what we REALLY learned from WMF Gadi Evron (Jan 06)
- RE: what we REALLY learned from WMF Adrian Marsden (Jan 06)