Re: standards status in the industry - opinion?

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Florian Weimer wrote:
> * Matthew Murphy:
>
>
> > I agree with that, but I think it misses the point.  The fact is that
> > 180-200 days go by before Microsoft issues patches for serious bugs.
> > Sometimes more.  That's flat-out unacceptable.
>
> Such long delays make predisclosure information much more valuable.
> Quite a few organizations distribute such information, showing their
> relevance.  Do you really think they want Microsoft to kill this
> market?  How much influence do these guys have on Microsoft and
> legislators?

First, Microsoft lacks the ability to "kill" this market.  Even if
Microsoft starts putting out patches 10-14 days after issues are
reported, there's still a market for pre-release information.  That's
particularly true in an environment where an increasing number of
Windows-related vulnerabilities are being exploited pre-patch by
commercially-interested malicious code authors.

Second, I'm not expecting that Microsoft could start turning out patches
in two weeks as a matter of routine.  A two to three month timeframe is
what I proposed (with extensions for architecturally challenging
issues), so this wouldn't push the market anywhere near the ugly death
you speak of.

Third, I don't think these organizations have as much influence as you
might believe.  Ultimately, Microsoft is still the monopolistic domineer
it always has been, and most of their customers want patches to be
speedy if they can still be well-tested.  If Microsoft decided to trim
the fat from its patch processes, the security vendors would be forced
to suck it up and deal with it.

Fourth, I spoke of what Microsoft *should* do, not what I felt it would
do.  I honestly don't expect an immediate dent in patch timeframes.

Fifth, with that decided, the community is going to have to force
Microsoft's hand.  The way to persuade Microsoft to patch in a timely
fashion is to seriously undercut the the organizations you cite.  The
way to do that is to disclose vulnerabilities publicly when Microsoft
fails to patch them in a reasonable time (i.e. 3 months).  We're not
going to see that from corporate entitites though, as they profit when
Microsoft delays.  If this becomes pattern, Microsoft will be forced to
slim down its patch processes.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDwD13fp4vUrVETTgRAwe2AJ9O6zyuxHgUn6O/CYt3S2NzUx7w1QCeKDEU
dyHngHEPiapbMxhq2BJ6R3o=
=r8pQ
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.