Full Disclosure mailing list archives
RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011
From: "Burnes, James" <james.burnes () gwl com>
Date: Wed, 14 Apr 2004 11:25:47 -0600
Exactly the point of full disclosure. If someone with a serious axe to grind would have stumbled onto the ASN.1 flaw before the Eeye notice, it could have been an ELE* for MS and some major corporations. Let's see, unpatched ASN.1 + Flash Worm = ? jim burnes security engineer great-west, denver *Extinction Level Event
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure- admin () lists netsys com] On Behalf Of Edward W. Ray Sent: Wednesday, April 14, 2004 9:40 AM To: 'Roman Drahtmueller'; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 I would not mind the bunching, except that many of the vulnerabilities were discovered more than 4-6 months ago. The other Oses release patches much more quickly. What if someone other than Eeye with an axe to grind discovered these flaws before Microsoft decided to patch them? -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Roman Drahtmueller Sent: Wednesday, April 14, 2004 7:36 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011I use Linux, OpenBSD and Windows in my enterprise. Linux and OpenBSD use the "1 patch for 1 vulnerability" rule. Seems to me that MS is bunching their patches together in order to make it seem on the surface that Windows has less patches than other Oses, therefore it is more secure. CIOs, take note.It happens from time to time (today...) that several bugs get fixed with one update package on SUSE Linux (and other Linuxes). But: One update package fixes one package, whereas one patch can consist of several update packages (in our patch management framework). After all, it is a matter of transparency if you can manually, individually select what update package you want on your system and which not. Probably even more important: You should also be able to see what _changes_ have been applied to every single update package. Otherwise, you just can't know what else has been "fixed"... Regards, Roman. -- - - | Roman Drahtmüller <draht () suse de> // "You don't need eyes to see, | SUSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - - _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Burnes, James (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Geoincidents (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Dave Aitel (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Benjamin Meade (Apr 14)
- RE: Risk between discovery and patch (was: The new Microsoft math) Ben Nagy (Apr 15)
- Re: RE: Risk between discovery and patch Dave Aitel (Apr 15)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Dave Aitel (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Geoincidents (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Geoincidents (Apr 14)
- <Possible follow-ups>
- RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Steven M. Christey (Apr 15)