RE: [Full-Disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011

From: Burnes, James (james.burnes_at_gwl.com)
Date: 04/14/04

  • Next message: madsaxon: "Re: [Full-Disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011"
    To: <support@mmicman.com>, "Roman Drahtmueller" <draht@suse.de>, <full-disclosure@lists.netsys.com>
    Date: Wed, 14 Apr 2004 11:25:47 -0600
    
    

    Exactly the point of full disclosure. If someone with a serious axe to grind would have stumbled onto the ASN.1 flaw before the Eeye notice, it could have been an ELE* for MS and some major corporations.

    Let's see, unpatched ASN.1 + Flash Worm = ?

    jim burnes
    security engineer
    great-west, denver
     
    *Extinction Level Event

    > -----Original Message-----
    > From: full-disclosure-admin@lists.netsys.com [mailto:full-disclosure-
    > admin@lists.netsys.com] On Behalf Of Edward W. Ray
    > Sent: Wednesday, April 14, 2004 9:40 AM
    > To: 'Roman Drahtmueller'; full-disclosure@lists.netsys.com
    > Subject: RE: [Full-Disclosure] The new Microsoft math: 1 patch for 14
    > vulnerabilities, MS04-011
    >
    > I would not mind the bunching, except that many of the vulnerabilities
    > were
    > discovered more than 4-6 months ago. The other Oses release patches much
    > more quickly. What if someone other than Eeye with an axe to grind
    > discovered these flaws before Microsoft decided to patch them?
    >
    > -----Original Message-----
    > From: full-disclosure-admin@lists.netsys.com
    > [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Roman
    > Drahtmueller
    > Sent: Wednesday, April 14, 2004 7:36 AM
    > To: full-disclosure@lists.netsys.com
    > Subject: Re: [Full-Disclosure] The new Microsoft math: 1 patch for 14
    > vulnerabilities, MS04-011
    >
    > >
    > > I use Linux, OpenBSD and Windows in my enterprise. Linux and OpenBSD
    > > use the "1 patch for 1 vulnerability" rule. Seems to me that MS is
    > > bunching their patches together in order to make it seem on the
    > > surface that Windows has less patches than other Oses, therefore it is
    > > more secure. CIOs, take note.
    >
    > It happens from time to time (today...) that several bugs get fixed with
    > one
    > update package on SUSE Linux (and other Linuxes). But: One update package
    > fixes one package, whereas one patch can consist of several update
    > packages
    > (in our patch management framework).
    >
    > After all, it is a matter of transparency if you can manually,
    > individually
    > select what update package you want on your system and which not. Probably
    > even more important: You should also be able to see what _changes_ have
    > been
    > applied to every single update package. Otherwise, you just can't know
    > what
    > else has been "fixed"...
    >
    > Regards,
    > Roman.
    > --
    > - -
    > | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, |
    > SUSE Linux AG - Security Phone: // you need vision!"
    > | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
    > - -
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: madsaxon: "Re: [Full-Disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011"