[Full-disclosure] RE: what we REALLY learned from WMF

This is a silly post.... What are you trying to prove? That in some cases a company can test a patch quicker than in others?

MS understood the issue, promised a fix on their scheduled date and did better than expected.... So you criticise them....

Way to go.... Make it so they can never win.... then they won't bother... and we all know who suffers then....

-----Original Message-----
From: Gadi Evron [mailto:ge@xxxxxxxxxxxx]
Sent: Thu 1/5/2006 4:53 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: what we REALLY learned from WMF

What we really learn from this all WMF "thingie", is that when Microsoft
wants to, it can.

Microsoft released the WMF patch ahead of schedule
( http://blogs.securiteam.com/index.php/archives/181 )

Yep, THEY released the PATCH ahead of schedule.

What does that teach us?

There are a few options:
1. When Microsoft wants to, it can.

There was obviously pressure with this 0day, still — most damage out
there from vulnerabilities is done AFTER Microsoft releases the patch
and the vulnerability becomes public.

2. Microsoft decided to jump through a few QA tests this time, and
release a patch.

Why should they be releasing BETA patches?
If they do, maybe they should release BETA patches more often, let those
who want to - use them. It can probably also shorten the testing period
If this patch is not BETA, but things did just /happen/ to progress more
swiftly.. than maybe we should re-visit option #1 above.


Maybe it’s just that we are used to sluggishness. Perhaps it is time we,
as users and clients, started DEMANDING of Microsoft to push things up a


Put in the necessary resources, and release patches within days of first
discovery. I’m willing to live with weeks and months in comparison to
the year+ that we have seen sometimes. Naturally some problems take
longer to fix, but you get my drift.

It’s just like with false positives… as an industry we are now used to
them. We don’t treat them as bugs, we treat them as an “acceptable level
of”, as I heard Aviram mention a few times.


The rest is in my blog entry on the subject:


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Why no patch for the .wmf problem?
    ... > Where is the evidence in this article that Microsoft intended to wait ... Microsofts monthly patch update. ... The evidence is that Microsoft had the patch, had tested it but were going ... decided that releasing this early, breaking the monthly cycle was sensible. ...
  • Re: [Full-disclosure] Security Alert: Unofficial IE patches appear on internet
    ... created by a vulnerability is as serious as this case and the available ... Microsoft will be inclined strongly against holding on to this patch. ... Microsoft often have patches ready but wait for the corporate known ...
  • Re: Worm in Patch
    ... a naive and trusting nature in your personality believing that you would ... "receive a patch" instead of getting it from a trusted source..? ... Essentially - Microsoft never emails you a patch. ... using Windows XP "prettifications". ...
  • Re: Why do i keep on receiving shutdown system ?
    ... the Microsoft provided information on the matter can be ... The Symantec Repair utility and manual removal instructions can be found ... The patch that would have prevented this whole fiasco for you: ... If you have Sasser, the Microsoft provided information on the matter can be ...
  • Re: NT Authority..
    ... You could have Blaster or you could have Sasser. ... the Microsoft provided information on the matter can be ... The patch that would have prevented this whole fiasco for you: ... After enabling the Internet Connection Firewall or creating the read-only ...