Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws

From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Sun, 26 Mar 2006 13:43:57 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 

body > contains > n3td3v
from > contains > n3td3v

delete message
delete from pop server

is a good solution in thunderbird to get ride of this FD bug.

cheers.

ad () heapoverflow com wrote:

well for me n3td3v and probably a lot here , you are in the junk
settings because I think most FD list is really pissed off your
international kiddie attitude...

n3td3v wrote:

Sorry to say the n3td3v group involves employees (rogue) who
have called for this. You can ringgle and ranggle your poltical
point of users within the MS not having enough time scale to
promote to a certain issue, but thats complete crap. One reason
being the folks within the n3td3v group are actually people
from MS, YAHOO, AOL, etc already. The folks at n3td3v group are
part of the industry already, for you to put your point across
mr Valdis is cool, but the n3td3v group if you hadent realised
before is part of a between the major dot coms.

On 3/26/06, *Valdis.Kletnieks () vt edu
<mailto:Valdis.Kletnieks () vt edu>* <Valdis.Kletnieks () vt edu
<mailto:Valdis.Kletnieks () vt edu>> wrote:

On Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:


You Microsoft must officially agree that all flaws marked as

"Critical" must

have a patch within 7 to 14 days of public disclosure.


OK... Nice try.

Too bad you didn't add a requirement that the patch actually be
 *correct*.

Also, you're totally overlooking the fact that *sometimes*,
fixing a problem requires some major re-architecting - for
instance, if an API has to be changed, then *every* caller has
to be updated, and quite possibly re-designed, and the changes
have an annoying tendency to ripple outward (if subroutine A
has a 7th parameter added, then everybody who calls A has to be
 updated.  And it's likely that you'll find routines B, C, and
D that have no *idea* what the correct value of the parameter
should be, because they don't have access to the data - so now
callers of B, C, and D have to pass another parameter that gets
 passed to A).

Any company that will commit to a "must" on this one is nuts.
It's a good target, but making it mandatory is just asking
companies to ship a half-baked patch that seems to fix the PoC
rather than the underlying design flaw.

And going back and reviewing the patch history on IE is
instructive - more than once, Microsoft has released a patch
for a known Javascript flaw, only to find out within a week
that a very slight change would make the exploit work again.

Is that *really* what you want?  It's certainly not what *I*
want.  Waiting another 3-4 days past your arbitrary 14-day
limit for a *good* patch is certainly preferable for those of
us who actually have to deal with this stuff for a living,
rather than hide out on a Yahoo group.







----------------------------------------------------------------------



_______________________________________________ Full-Disclosure
- We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted
and sponsored by Secunia - http://secunia.com/



_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/



__________ NOD32 1.1458 (20060324) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
 
iD8DBQFEJn59FJS99fNfR+YRAhklAJ98pTU41bErz0MaNrKjSwOl7Aj1+QCZAXSh
RKprp09ZOCSj6gvC3ep40Yc=
=iLDC
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: