The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


what we REALLY learned from WMF


<< Previous INDEX Search src / Print Next >>
Date: Thu, 05 Jan 2006 23:53:45 +0200
From: Gadi Evron <ge@linuxbox.org.>
To: [email protected]
Subject: what we REALLY learned from WMF
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeded SMTP AUTH authentication, not delayed by milter-greylist-1.7.5 (linuxbox.org [24.155.83.21]); Thu, 05 Jan 2006 15:54:40 -0600 (CST)
X-Virus-Scanned: antivirus-gw at tyumen.ru

What we really learn from this all WMF "thingie", is that when Microsoft 
wants to, it can.

Microsoft released the WMF patch ahead of schedule
( http://blogs.securiteam.com/index.php/archives/181 )

Yep, THEY released the PATCH ahead of schedule.

What does that teach us?

There are a few options:
1. When Microsoft wants to, it can.

There was obviously pressure with this 0day, still — most damage out 
there from vulnerabilities is done AFTER Microsoft releases the patch 
and the vulnerability becomes public.

2. Microsoft decided to jump through a few QA tests this time, and 
release a patch.

Why should they be releasing BETA patches?
If they do, maybe they should release BETA patches more often, let those 
who want to - use them. It can probably also shorten the testing period 
considerably.
If this patch is not BETA, but things did just /happen/ to progress more 
swiftly.. than maybe we should re-visit option #1 above.

...

Maybe it’s just that we are used to sluggishness. Perhaps it is time we, 
as users and clients, started DEMANDING of Microsoft to push things up a 
notch.

...

Put in the necessary resources, and release patches within days of first 
discovery. I’m willing to live with weeks and months in comparison to 
the year+ that we have seen sometimes. Naturally some problems take 
longer to fix, but you get my drift.

It’s just like with false positives… as an industry we are now used to 
them. We don’t treat them as bugs, we treat them as an “acceptable level 
of”, as I heard Aviram mention a few times.

...

The rest is in my blog entry on the subject:
http://blogs.securiteam.com/index.php/archives/182

        Gadi.

<< Previous INDEX Search src / Print Next >>



ðÁÒÔΣÒÙ:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
èÏÓÔÉÎÇ:

úÁËÌÁÄËÉ ÎÁ ÓÁÊÔÅ
ðÒÏÓÌÅÄÉÔØ ÚÁ ÓÔÒÁÎÉÃÅÊ
Created 1996-2024 by Maxim Chirkov
äÏÂÁ×ÉÔØ, ðÏÄÄÅÒÖÁÔØ, ÷ÅÂÍÁÓÔÅÒÕ