Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: what we REALLY learned from WMF
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 5 Jan 2006 15:07:48 -0700

On Thu, 05 Jan 2006 23:53:45 +0200
Gadi Evron <ge () linuxbox org> wrote:

What we really learn from this all WMF "thingie", is that when
Microsoft wants to, it can.

Microsoft released the WMF patch ahead of schedule
( http://blogs.securiteam.com/index.php/archives/181 )

Yep, THEY released the PATCH ahead of schedule.

What does that teach us?

There are a few options:
1. When Microsoft wants to, it can.

There was obviously pressure with this 0day, still — most damage out 
there from vulnerabilities is done AFTER Microsoft releases the patch 
and the vulnerability becomes public.

2. Microsoft decided to jump through a few QA tests this time, and 
release a patch.

Why should they be releasing BETA patches?
If they do, maybe they should release BETA patches more often, let
those who want to - use them. It can probably also shorten the
testing period considerably.
If this patch is not BETA, but things did just /happen/ to progress
more swiftly.. than maybe we should re-visit option #1 above.


Maybe it’s just that we are used to sluggishness. Perhaps it is time
we, as users and clients, started DEMANDING of Microsoft to push
things up a notch.


Put in the necessary resources, and release patches within days of
first discovery. I’m willing to live with weeks and months in
comparison to the year+ that we have seen sometimes. Naturally some
problems take longer to fix, but you get my drift.

It’s just like with false positives… as an industry we are now used
to them. We don’t treat them as bugs, we treat them as an “acceptable
level of”, as I heard Aviram mention a few times.


The rest is in my blog entry on the subject:


I didn't learn anything new...just confirmed what I've thought all
along...MS's Security sucks (who in their RIGHT MIND would have an
image file reader able to execute code???), and that the REAL hero's
are people in the security sector like here that created patches and
did the work that MS should have been able to do with their team of
people. I first started seeing things on wmf on December 29th on
sans.org.  It took MS 8 DAYS to release this patch.  Not acceptable in
my book...

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]