Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws

From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Sun, 26 Mar 2006 13:37:02 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
well for me n3td3v and probably a lot here , you are in the junk
settings because I think most FD list is really pissed off your
international kiddie attitude...

n3td3v wrote:

Sorry to say the n3td3v group involves employees (rogue) who have
called for this. You can ringgle and ranggle your poltical point of
users within the MS not having enough time scale to promote to a
certain issue, but thats complete crap. One reason being the folks
within the n3td3v group are actually people from MS, YAHOO, AOL, etc
already. The folks at n3td3v group are part of the industry already,
for you to put your point across mr Valdis is cool, but the n3td3v
group if you hadent realised before is part of a between the major
dot coms.

On 3/26/06, *Valdis.Kletnieks () vt edu
<mailto:Valdis.Kletnieks () vt edu>* <Valdis.Kletnieks () vt edu
<mailto:Valdis.Kletnieks () vt edu>> wrote:

    On Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:

    > You Microsoft must officially agree that all flaws marked as
    "Critical" must
    > have a patch within 7 to 14 days of public disclosure.

    OK... Nice try.

    Too bad you didn't add a requirement that the patch actually be
    *correct*.

    Also, you're totally overlooking the fact that *sometimes*,
    fixing a problem
    requires some major re-architecting - for instance, if an API
    has to be changed,
    then *every* caller has to be updated, and quite possibly
    re-designed, and
    the changes have an annoying tendency to ripple outward (if
    subroutine A
    has a 7th parameter added, then everybody who calls A has to be
    updated.  And
    it's likely that you'll find routines B, C, and D that have no
    *idea* what the
    correct value of the parameter should be, because they don't
    have access to the
    data - so now callers of B, C, and D have to pass another
    parameter that gets
    passed to A).

    Any company that will commit to a "must" on this one is
    nuts.  It's a good
    target, but making it mandatory is just asking companies to ship
    a half-baked
    patch that seems to fix the PoC rather than the underlying
    design flaw.

    And going back and reviewing the patch history on IE is
    instructive - more than
    once, Microsoft has released a patch for a known Javascript
    flaw, only to find
    out within a week that a very slight change would make the
    exploit work again.

    Is that *really* what you want?  It's certainly not what *I*
    want.  Waiting
    another 3-4 days past your arbitrary 14-day limit for a *good*
    patch is certainly
    preferable for those of us who actually have to deal with this
    stuff for a living,
    rather than hide out on a Yahoo group.





----------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
 
iD8DBQFEJnzeFJS99fNfR+YRArtZAKCVWIGekBeIyCSPIBC4M6ouQrNQzgCaAoJt
NV62LR4xtgZ6BnT/dozX0vU=
=W52r
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: