Re: Time-to-patch vs Disclosure method

From: Mark Kennedy (mkennedy@symantec.com)
Date: 10/17/01 

Subject: Re: Time-to-patch vs Disclosure method
To: Olaf Kirch <okir@caldera.de>
Message-ID: <OFED72531A.CF49203A-ON88256AE8.007803B9@symantec.com>
From: "Mark Kennedy" <mkennedy@symantec.com>
Date: Wed, 17 Oct 2001 14:55:53 -0700

I disagree that all Microsoft is doing is diverting attention. They raise
some legitimate questions and concerns. Their problems are another topic.
But just because they are the source of the vulnerability does not
undermine their valid concerns on how that vulnerability is disclosed.

Thanx,

Mark

                                                                                                                          
                    Olaf Kirch
                    <okir@caldera. To: "J. J. Horner" <jhorner@2jnetworks.com>
                    de> cc: vuln-dev@securityfocus.com
                                         Subject: Re: Time-to-patch vs Disclosure method
                    10/17/2001
                    02:02 PM
                                                                                                                          
                                                                                                                          

On Wed, Oct 17, 2001 at 01:15:20PM -0400, J. J. Horner wrote:
> I think it would be helpful to see some stats showing
> the length of time to security patch versus the
> type of disclosure used (full, or otherwise).

I think the really interesting metric is time-to-exploit vs
disclosure. The time-to-exploit can be quite low. I particularly remember
the uw-imap AUTH bug I reported to Crispin a couple of years ago. There
was an announcement to the pine-users mailing list about an unspecified
"security fix". The first exploits were available the other day, and
the first mass scans were well under way a week or two later.

Similar things happened with other Linux/Unix holes (amd, rpc.statd, etc).
With most services _knowing_ there's a security hole is enough to motivate
people to go find it and write an exploit.

What Microsoft is doing right now, though, is divert everyone's attention
from the real problem, which is the quality of their product. So whatever
one says in response to their claims will probably just add to the smoke
and FUD.

Olaf 

--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Relevant Pages

  • [Full-Disclosure] GUNINSKI THE SELF-PROMOTER
    ... Schneier has a little more credibility that Smith methinks. ... software companies feud over disclosure of weaknesses ... software maker about a devastating security flaw in one of its most popular ... Microsoft acknowledged that 200 ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] GUNINSKI THE SELF-PROMOTER
    ... > software maker about a devastating security flaw in one of its most popular ... Of course Microsoft thinks this, ... > disclosure," the computer world's longtime standard for exposing security ... And if these bugs hadnt been showing up on bugtraq, vuln-watch, and full ...
    (Full-Disclosure)
  • Cyber terrorist @taviso responds to criticism
    ... Hyenas of the Security Industry ... Associating my actions with my employer is just an attempt to ... Tavis actually only gave Microsoft ~3 business working day to fix the bug ... Disclosure * Full Disclosure: he would have sent out the advisory ...
    (comp.security.misc)
  • Re: Press Release Response
    ... >technique than what eEye came up with, ... from the data that Microsoft gives within their advisories." ... is this practice of Full Disclosure effective? ... not the advisory of the vulnerability. ...
    (NT-Bugtraq)