What erks me about this e-mail.....
1. The vendor knew versions of their software were vulnerable, but
intentionally failed to list them in their disclosure. An example situation
where these platforms are susceptable (large win9x only workgroup) has
already been posted to the list, and the vendor does not feel it is worth it
to patch. Let's call this one vendor's perogative and move on.
2. The vendor's patch, by their own admission in the last e-mail, breaks
some "normal, by-design management functions" in the NetBIOS protocol. They
also called the patch unsuitable for rollout over the entire network.
Nowhere in the initial disclosure was any mention of this. I, for one,
would feel much more comfortable applying a patch if I knew exactly what it
did. Open source arguments aside, perhaps vendors should make a practice of
creating detailed TID's for released patches, documenting what changes in
the system will occur upon application.
Ryan Fox
Noguska
rfox_at_noguska.com
Received on Aug 02 2000
Intro
