Full Disclosure mailing list archives
Re: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Sun, 26 Mar 2006 13:37:02 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 well for me n3td3v and probably a lot here , you are in the junk settings because I think most FD list is really pissed off your international kiddie attitude... n3td3v wrote:
Sorry to say the n3td3v group involves employees (rogue) who have called for this. You can ringgle and ranggle your poltical point of users within the MS not having enough time scale to promote to a certain issue, but thats complete crap. One reason being the folks within the n3td3v group are actually people from MS, YAHOO, AOL, etc already. The folks at n3td3v group are part of the industry already, for you to put your point across mr Valdis is cool, but the n3td3v group if you hadent realised before is part of a between the major dot coms. On 3/26/06, *Valdis.Kletnieks () vt edu <mailto:Valdis.Kletnieks () vt edu>* <Valdis.Kletnieks () vt edu <mailto:Valdis.Kletnieks () vt edu>> wrote: On Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said: > You Microsoft must officially agree that all flaws marked as "Critical" must > have a patch within 7 to 14 days of public disclosure. OK... Nice try. Too bad you didn't add a requirement that the patch actually be *correct*. Also, you're totally overlooking the fact that *sometimes*, fixing a problem requires some major re-architecting - for instance, if an API has to be changed, then *every* caller has to be updated, and quite possibly re-designed, and the changes have an annoying tendency to ripple outward (if subroutine A has a 7th parameter added, then everybody who calls A has to be updated. And it's likely that you'll find routines B, C, and D that have no *idea* what the correct value of the parameter should be, because they don't have access to the data - so now callers of B, C, and D have to pass another parameter that gets passed to A). Any company that will commit to a "must" on this one is nuts. It's a good target, but making it mandatory is just asking companies to ship a half-baked patch that seems to fix the PoC rather than the underlying design flaw. And going back and reviewing the patch history on IE is instructive - more than once, Microsoft has released a patch for a known Javascript flaw, only to find out within a week that a very slight change would make the exploit work again. Is that *really* what you want? It's certainly not what *I* want. Waiting another 3-4 days past your arbitrary 14-day limit for a *good* patch is certainly preferable for those of us who actually have to deal with this stuff for a living, rather than hide out on a Yahoo group. ---------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (MingW32) iD8DBQFEJnzeFJS99fNfR+YRArtZAKCVWIGekBeIyCSPIBC4M6ouQrNQzgCaAoJt NV62LR4xtgZ6BnT/dozX0vU= =W52r -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Industry calls on Microsoft to scrap PatchTuesday for Critical flaws, (continued)
- RE: Industry calls on Microsoft to scrap PatchTuesday for Critical flaws William Lefkovics (Mar 25)
- Re: Industry calls on Microsoft to scrap PatchTuesday for Critical flaws n3td3v (Mar 25)
- RE: Industry calls on Microsoft to scrapPatchTuesday for Critical flaws William Lefkovics (Mar 25)
- Re: Industry calls on Microsoft to scrapPatchTuesday for Critical flaws n3td3v (Mar 25)
- RE: Industry calls on Microsoft toscrapPatchTuesday for Critical flaws William Lefkovics (Mar 25)
- Re: Industry calls on Microsoft to scrapPatchTuesday for Critical flaws Valdis . Kletnieks (Mar 25)
- Re: Industry calls on Microsoft to scrapPatchTuesday for Critical flaws GroundZero Security (Mar 26)
- Re: Industry calls on Microsoft to scrapPatchTuesday for Critical flaws MR BABS (Mar 26)
- Message not available
- Fwd: Industry calls on Microsoft to scrapPatchTuesday for Critical flaws nick johnson (Mar 27)
- Re: Industry calls on Microsoft to scrap PatchTuesday for Critical flaws Morning Wood (Mar 25)
- Re: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws ad () heapoverflow com (Mar 26)
- Re: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws ad () heapoverflow com (Mar 26)
- Re: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws Rob "Nexis" Nelson (Mar 27)
- Re: Industry calls on Microsoft to scrap PatchTuesday for Critical flaws Nick Withers (Mar 25)
- Re: Industry calls on Microsoft to scrap PatchTuesday for Critical flaws n3td3v (Mar 25)
- Re: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws n3td3v (Mar 25)
- Re: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws Stan Bubrouski (Mar 25)
- Re: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws Javor Ninov (Mar 26)