mailing list archives
Re: WMF patch
From: Valdis.Kletnieks () vt edu
Date: Wed, 04 Jan 2006 17:58:16 -0500
On Wed, 04 Jan 2006 13:36:53 PST, Fred Heutte said:
In my reading this is a serious vulnerability, but the self-
inflating agitation in the "security community" has reached
a highly annoying level. I'm in the FTDT (fix the damn thing)
school; let's deal with it and get on with it. Every cycle spent
moaning about the faults of Microsoft is a lost opportunity
for something more productive.
How many times do you propose we FTDT before we get fed up and ask upper
management to authorize a migration to some other software with a better
record? And how many more FTDT's do we need to tolerate while we wait for
upper management to authorize a migration?
Or to put it differently - if you discovered that your router vendor was
vulnerable because they had a proprietary BGP extension *designed* to deliver
arbitrary code for execution, would you FTDT, or would you be on the phone
with your vendor venting your outrage? And what if it wasn't the first, but
more like the 10th year in a row that a similar design issue had surfaced?
Would you still just FTDT?
And while you're trying to figure out how to roll out a patch to 200 routers
that are totally under your control, keep in mind that a *small* organization
can have 30K PCs, not always totally managed.
Still feel like just FTDT?