"John Howie" <JHowie@securitytoolkit.com> writes: > I think your decision to ask Microsoft first is a sign of your > prejudice, why not ask the Open Source communities to lead the way? Speaking of the "Open Source" community, I'd really like to see them following Microsoft's lead in the advisory writing business. Their notifications are converging towards something useful, and it's only a question of time when they will start to describe how to block attacks on the network layer if possible, and how to employ their own products to protect infrastructure even if you can't immediately apply a patch. For software distributed in source code, you can reverse-engineer this information by examining the source code changes, but that's beyond the skills of the average sysadmin. And for a typical free software zoo, it's coming close to a full-time job as well. If those who really understand and fix the bugs could provide such information (e.g. rough requirements for attack such as access to certain TCP ports, the security context injected code runs in, indirectly affected products, proof-of-concept exploits to independently check vendor fixes), those "Open Source" enthusiasts might actually claim that their bug squashing process is superior. Currently, the way security defects are resolved sucks badly: The information is accessible, somehow, somewhere, but no one takes the trouble to make it accessible to the average sysadmin. Or is everyone busy catering to their paying customers, and sharing information would just reduce the perceived value the customers receive? -- Florian Weimer Weimer@CERT.Uni-Stuttgart.DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898
