__/ [ Sinister Midget ] on Wednesday 29 March 2006 14:44 \__
> On 2006-03-29, William Poaster <wp@xxxxxxxxxxxxxx> posted something
>> On Wed, 29 Mar 2006 13:32:24 +0100, Gordon wrote:
>>> Security firms doing MS's job for them?
>> Get this!
>> "Microsoft said it could not endorse the patches or recommend that users
>> install them as they had not been through the software giant's testing and
>> evaluation program."
>> Sour grapes, or what.
> I doubt it. They're probably worried that their own patch (I'm assuming
> there will be one someday) won't reach the same high level of
> competence as somebody who has never seen the source. They want to
> "test and evaluate" (read "release in the next generation") what they
> endorse, then "innovate" it from the original author.
Don't forget another factor. Patching that one vulnerability using some slack
layer of platser in haste leaves room for other similar-yet-necessary
patches. It's a tradeoff between time of exposure and value of patch.
Knowing Microsoft, they will be urged to release some protection (badly
tested too, thus breakage to be entailed) ASAP and, the following week,
aftershocks will ensue. Think of the WMF exploit, which had sort of variants
or yet-undiscovered routes to being exploited.
What is the solution? Release an operating system that is secure in the first
place and never rely on 90th-minute patching. Learn from OSDL. No patches 2
weeks before the release.
Roy S. Schestowitz | "Yes, I know, but does it run Linux?"
http://Schestowitz.com | SuSE Linux ¦ PGP-Key: 0x74572E8E
3:55pm up 21 days 5:40, 9 users, load average: 1.14, 0.82, 0.55
http://iuron.com - next generation of search paradigms