funsec mailing list archives
Re: standards status in the industry - opinion?
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Sat, 07 Jan 2006 16:15:19 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Florian Weimer wrote:
* Matthew Murphy:I agree with that, but I think it misses the point. The fact is that 180-200 days go by before Microsoft issues patches for serious bugs. Sometimes more. That's flat-out unacceptable.Such long delays make predisclosure information much more valuable. Quite a few organizations distribute such information, showing their relevance. Do you really think they want Microsoft to kill this market? How much influence do these guys have on Microsoft and legislators?
First, Microsoft lacks the ability to "kill" this market. Even if Microsoft starts putting out patches 10-14 days after issues are reported, there's still a market for pre-release information. That's particularly true in an environment where an increasing number of Windows-related vulnerabilities are being exploited pre-patch by commercially-interested malicious code authors. Second, I'm not expecting that Microsoft could start turning out patches in two weeks as a matter of routine. A two to three month timeframe is what I proposed (with extensions for architecturally challenging issues), so this wouldn't push the market anywhere near the ugly death you speak of. Third, I don't think these organizations have as much influence as you might believe. Ultimately, Microsoft is still the monopolistic domineer it always has been, and most of their customers want patches to be speedy if they can still be well-tested. If Microsoft decided to trim the fat from its patch processes, the security vendors would be forced to suck it up and deal with it. Fourth, I spoke of what Microsoft *should* do, not what I felt it would do. I honestly don't expect an immediate dent in patch timeframes. Fifth, with that decided, the community is going to have to force Microsoft's hand. The way to persuade Microsoft to patch in a timely fashion is to seriously undercut the the organizations you cite. The way to do that is to disclose vulnerabilities publicly when Microsoft fails to patch them in a reasonable time (i.e. 3 months). We're not going to see that from corporate entitites though, as they profit when Microsoft delays. If this becomes pattern, Microsoft will be forced to slim down its patch processes. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDwD13fp4vUrVETTgRAwe2AJ9O6zyuxHgUn6O/CYt3S2NzUx7w1QCeKDEU dyHngHEPiapbMxhq2BJ6R3o= =r8pQ -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- standards status in the industry - opinion? Gadi Evron (Jan 06)
- Re: standards status in the industry - opinion? Matthew Murphy (Jan 06)
- Re[2]: standards status in the industry - opinion? Pierre Vandevenne (Jan 06)
- Re: standards status in the industry - opinion? Florian Weimer (Jan 07)
- Re: standards status in the industry - opinion? Matthew Murphy (Jan 07)
- Re: standards status in the industry - opinion? Gadi Evron (Jan 07)
- Re: standards status in the industry - opinion? Gadi Evron (Jan 07)
- Re: standards status in the industry - opinion? Drsolly (Jan 07)
- Re: standards status in the industry - opinion? Matthew Murphy (Jan 07)
- Re: standards status in the industry - opinion? Gadi Evron (Jan 07)
- Re: standards status in the industry - opinion? Florian Weimer (Jan 07)
- Re: standards status in the industry - opinion? Drsolly (Jan 07)
- Re: standards status in the industry - opinion? Florian Weimer (Jan 07)
- Re: standards status in the industry - opinion? Drsolly (Jan 07)
- Re: standards status in the industry - opinion? Matthew Murphy (Jan 06)
- Re: standards status in the industry - opinion? Drsolly (Jan 07)