|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Dailydave] RE: Microsoft silently fixes security vulnerabilities
From: Steve Manzuik (smanzuik
eeye.com)
Date: Fri Apr 21 2006 - 14:07:44 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> What if the vendor disclosed in every patch the maximum
> severity level of any vulnerabilities fixed in the patch
> without disclosing specifics? Would this be a good
> middle-ground solution?
They already do this. At least MS does this. We have seen patches that are rated critical but also fix a number of medium and low issues. The point here though, is that most experienced IT Admins do not trust the vendor rating. I am not saying it is right, but it is the way things are.
> issue in Foo Corp's MechaFoo.
MechaFoo. The first product named that I will buy. :P
> Is this a sufficient solution to simultaneously provide the
> poor IT guy with information for risk assessment purposes
> while not providing excessive information that might hasten
> exploitation?
Based on my experience from being an IT guy, a consultant, and now working for a software vendor. No, this isn't enough information. As HD said in his other email -- the silently fixed vulnerabilities are the ones pen-testers love and are equally loved by attackers.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]