Full Disclosure mailing list archives
Re: what we REALLY learned from WMF
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 06 Jan 2006 13:08:01 +0100
* Gadi Evron:
What we really learn from this all WMF "thingie", is that when Microsoft wants to, it can. Microsoft released the WMF patch ahead of schedule ( http://blogs.securiteam.com/index.php/archives/181 ) Yep, THEY released the PATCH ahead of schedule.
They already did that for the IIS WebDAV issue, just before the U.S. attack on Iraq.
Why should they be releasing BETA patches?
They claim they do. It's called "Patch Validation Program", and access is kind of restricted because it also covers issues which are not yet public, and Microsoft doesn't want you to throw the patches at some advanced diffing tools. If conference presentations by Microsoft employees can be trusted, the real issues with Microsoft patches (not the WMF patch, it's atypical in this regard) is that they always forward-port the whole component to the respective HEAD version. From a software engineering perspective, this looks like a good idea because it helps to contain divergence. But it also means that very extensive testing of patches is required because a very simple two-line fix to address a very localized buffer overflow turns into a massive upgrade operation. It only pays off if you've got to fix several non-localized defects in sequence, which doesn't seem to happen that often. In all other cases, patches are much more likely to come with unwanted side effects, which makes their deployment so much harder. This leads to yet another factor: If you a corporate IT guy responsible for patching, and there's a beta patch out there, you'd often be forced to install it, no matter what. Most IT departments aren't strong enough on their own to put forth a patching schedule and adhere to it, and most people in the field very much like the regularity of Microsoft's security updates. They don't care much about all this window-of-exposure stuff, perhaps rightly so. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: what we REALLY learned from WMF, (continued)
- Re: what we REALLY learned from WMF Niek (Jan 05)
- Re: what we REALLY learned from WMF Nick FitzGerald (Jan 05)
- Re: what we REALLY learned from WMF Niek (Jan 05)
- Re: what we REALLY learned from WMF Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Jan 05)
- Re: what we REALLY learned from WMF Gadi Evron (Jan 05)
- Re: what we REALLY learned from WMF Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Jan 05)
- Re: what we REALLY learned from WMF Gadi Evron (Jan 05)
- Re: what we REALLY learned from WMF Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Jan 05)
- Re: what we REALLY learned from WMF Gadi Evron (Jan 05)
- Re: Re: what we REALLY learned from WMF Devdas Bhagat (Jan 06)
- Re: what we REALLY learned from WMF Dave Korn (Jan 06)
- Re: Re: what we REALLY learned from WMF Michael Holstein (Jan 06)
- Re: Re: what we REALLY learned from WMF Morning Wood (Jan 06)
- Re: Re: what we REALLY learned from WMF wac (Jan 12)
- Re: what we REALLY learned from WMF Gadi Evron (Jan 05)
- Re: what we REALLY learned from WMF Gadi Evron (Jan 06)
- Re: Re: what we REALLY learned from WMF c0ntex (Jan 06)