Re: what we REALLY learned from WMF

[Gadi Evron <ge () linuxbox org>]

Adrian Marsden wrote:
> Actually, what this whole situation proves is that a company with an installed base that figures in, what, the 90th 
> percentile has an incredible amount of testing to do but that a talented individual can create a patch and issue it 
> basically untested with the appropriate disclaimer quite rapidly.
>
> In this instance the patch didn't fix the vulnerable code at the source and was truly a "patch". Had MS issued that patch immediately 
> it seems to me that you would have criticised them for putting out a "half-assed" patch. Had they issued their actual patch untested and it 
> broke a couple of percent of their user base's installs you probably would have castigated them for being irresponsible and not testing the 
> patch.
>
> What actually occured was that they, as is their policy, issued the best workaround they could, (unreg the .dll), and promised a 
> patch by a certain date. They beat the schedule by what 25%, maybe 50% from the time they made the promise. In any performance 
> evaluation one would have to conclude that MS performed "better than expected".
>
> I would agree that not asking for improvement ever would lead to further mediocrity but at the same time, placing anyone in 
> a no-win situation _all_ the time eventually leads to them losing interest. Giving credit where it is due isn't unfair 
> in this situation and in the end you always get more with sugar than you do vinegar.

I am not criticizing Microsoft over the patch. I am happy.

I am just saying that we as an industry got used to False Positives, 
slow responses, etc. We should demand more and this situation proved it 
is possible.

        Gadi.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/