Re: Time-to-patch vs Disclosure method

From: Olaf Kirch (okirat_private)
Date: Wed Oct 17 2001 - 14:02:53 PDT

  • Next message: Robert McGinnis: "RE: pop3 exploit????"

    On Wed, Oct 17, 2001 at 01:15:20PM -0400, J. J. Horner wrote:
    > I think it would be helpful to see some stats showing
    > the length of time to security patch versus the
    > type of disclosure used (full, or otherwise).
    
    I think the really interesting metric is time-to-exploit vs
    disclosure. The time-to-exploit can be quite low. I particularly remember
    the uw-imap AUTH bug I reported to Crispin a couple of years ago. There
    was an announcement to the pine-users mailing list about an unspecified
    "security fix". The first exploits were available the other day, and
    the first mass scans were well under way a week or two later.
    
    Similar things happened with other Linux/Unix holes (amd, rpc.statd, etc).
    With most services _knowing_ there's a security hole is enough to motivate
    people to go find it and write an exploit.
    
    What Microsoft is doing right now, though, is divert everyone's attention
    from the real problem, which is the quality of their product. So whatever
    one says in response to their claims will probably just add to the smoke
    and FUD.
    
    Olaf
    -- 
    Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
    okirat_private  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
    okirat_private    +-------------------- Why Not?! -----------------------
             UNIX, n.: Spanish manufacturer of fire extinguishers.            
    



    This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 14:48:38 PDT