Re: Re: what we REALLY learned from WMF

["dudevanwinkle () gmail com" <dudevanwinkle () gmail com>]

Gadi Evron wrote:

> I am not criticizing Microsoft over the patch. I am happy.
>
> I am just saying that we as an industry got used to False Positives,
> slow responses, etc. We should demand more and this situation proved
> it is possible.
>
>     Gadi.


Ja, all we have to do is write the patch for them, then we have great
turn around ;-)

Seriously though, I think the fact that someone else duplicated their
patch (file date in the patch of the 28th shows this, as well as the
bindiff) then they had pre-hotfix-release information on what bugs
occured due to the removal of this abortproc wmf "feature" on a very
large customer base (300GB of uploads before the site was taken offline,
thats a _big_ test user base) was what made it possible for MS to
release the patch earlier than promised.

Still though, Gadi is right that this shows if there is enough demand
for an RC1 patch, they may release them.... as long as the exploit can
be googled beforehand and MS doesnt have to worry about ppl RCE'ing the
beta patch and creating an exploit as a result of their program.

a lot of "ifs" but it can happen

-JP
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/