Daniel Lehenbauer - Demo of Avalon 3D

Half-Life 2. Nifty.
nektar wrote:Any news on the recent and still unpatch Windows holes? I heard that two out of the 3 also affect XP SP2.
dnrfan wrote:
Microsoft are extremely slow to release fixes/patches after being alerted to serious flaws. Why is this?
Just send me your name and address via email at
rscoble@microsoft.com and I'll get two out. Thanks!
Hardware team is coming up soon!
KosherCoder wrote:Extremely slow compared to what?
I saw one vulnerability on that eeye site that was several months "overdue", and they listed only one other outstanding.
KosherCoder wrote:Where do they get off claiming that 30 days is a standard time to expect a fix? They have no idea how long a fix could take.
We do not "get off" on claiming that 30 days is a standard time to expect a fix. We actually think that 60 days is the timeframe for producing a fix. That is why on our upcoming advisories page we only start listing vulnerability patches as being overdue
after the 60 day mark, not 30 as you incorrectly state.
If you want to get specific about it though Microsoft is actually apart of an industry group whom wrote a specificion on vulnerability reporting and vendor handling of reported vulnerabilities. Within that standard Microsoft and other companies in the industry
agree that:
"The appropriate timeframe will vary from case to case, but it is important to set a target. By convention, thirty (30) calendar days (measured from the date the Vendors acknowledges receipt of the VSR to deliver of the fix) has been established as a good
starting point for the discussions, as it often provides an appropriate balance between timeliness and thoroughness." [1]
So as you can see the 60 day window that eEye uses is actually *longer* than the general industry guidelines as set by Microsoft and other security companies.
Reasonable amount of time? Should take them a year to fix vulnerabilities? If you believe that then the secretly encoded brainwashing images within channel 9 productions is finally starting to pay off.
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
[1] - http://www.oisafety.org/