Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Full-disclosure] Re: what we REALLY learned from WMF
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpapacbell.net)
Date: Thu Jan 05 2006 - 18:07:17 CST
Don't release a beta patch ....
1. it would get patches into reverse engineering faster [hello look what
happened to the leaked patch]
Don't ask for an untested patch if you are not willing to be there in
the newsgroups, communities and listserves helping the dead bodies after
a bad patch sir.
Do you do/handle change management in your firm? Even in my small firm
I could not handle the 'any time/any day' that patches used to come out
Be careful of what you ask for sir...because if you get what you
want.... ensure your firm has the resources to test/deploy/change
management on a 24 hours a day 7 days a week schedule because exploits
can be built in less than 20 minutes.
If the security issue has been responsible disclosed, there is a process
that is needed to build a patch and test the patch. Some issues take
more than 'days' sir. And testing takes time as well, sir.
For my community I want tested patches sir, and I will argue until
doomsday on that point. Don't hurt my community with a bad patch or a
beta patch, sir.
SBS community member
Gadi Evron wrote:
> What we really learn from this all WMF "thingie", is that when
> Microsoft wants to, it can.
> Microsoft released the WMF patch ahead of schedule
> ( http://blogs.securiteam.com/index.php/archives/181 )
> Yep, THEY released the PATCH ahead of schedule.
> What does that teach us?
> There are a few options:
> 1. When Microsoft wants to, it can.
> There was obviously pressure with this 0day, still ó most damage out
> there from vulnerabilities is done AFTER Microsoft releases the patch
> and the vulnerability becomes public.
> 2. Microsoft decided to jump through a few QA tests this time, and
> release a patch.
> Why should they be releasing BETA patches?
> If they do, maybe they should release BETA patches more often, let
> those who want to - use them. It can probably also shorten the testing
> period considerably.
> If this patch is not BETA, but things did just /happen/ to progress
> more swiftly.. than maybe we should re-visit option #1 above.
> Maybe itís just that we are used to sluggishness. Perhaps it is time
> we, as users and clients, started DEMANDING of Microsoft to push
> things up a notch.
> Put in the necessary resources, and release patches within days of
> first discovery. Iím willing to live with weeks and months in
> comparison to the year+ that we have seen sometimes. Naturally some
> problems take longer to fix, but you get my drift.
> Itís just like with false positivesÖ as an industry we are now used to
> them. We donít treat them as bugs, we treat them as an ďacceptable
> level ofĒ, as I heard Aviram mention a few times.
> The rest is in my blog entry on the subject:
Letting your vendors set your risk analysis these days?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/