Info on Windows' WMF Vulnerability

[Warrior]

Well yea they but they take into account the other languages, other factors which may affect the result, best way to fix it, what the repercussions will be (What functionality will they lose), etc..

[iago]

And, why don't they test that?

If I was them, I'd have a test bed server that runs every imaginable variation, and tests them all, with the repercussions, all at once. 

[Sidoh]

Yeah, I really doubt testing takes that long if they make it top priority... just look at how many programmers they have!

[Warrior]

It isn't a matter of testing, it's a matter of analyzing what functionality they lose out of what they patch to restrict the exploit from happening. I'd want to compare that and if it isn't worth it find another way to fix the exploit. Things like that they need to consider.

[Sidoh]

It isn't a matter of testing, it's a matter of analyzing what functionality they lose out of what they patch to restrict the exploit from happening. I'd want to compare that and if it isn't worth it find another way to fix the exploit. Things like that they need to consider.

Seems like a perfectly valid definition and entailment of testing to me.

With something this potentially devastating, they need to get a patch out that prevents people from taking advantage of the exploit and THEN figure out what its negative affects are.

[iago]

It isn't a matter of testing, it's a matter of analyzing what functionality they lose out of what they patch to restrict the exploit from happening. I'd want to compare that and if it isn't worth it find another way to fix the exploit. Things like that they need to consider.

Yeah, and yet again, I'll say: why can't that be automated?

[igimo1]

Innumerable variables in the testing, of course!

[Warrior]

You want something to automate something as crucial as that? PCs make mistakes and when automated are assumed to be correct. User made mistakes may be found easily plus save them the embarassment of releasing a bad patch. The entire world isn't a bunch of Linux fanboys sitting around open source, Microsoft is a corperation which needs to satisfy all of it's customers and it makes the best decisions availible buisness wise. I doubt they are going to sacrafice the way they test for a few days (yes a few) of an earlier release. It's not like the patch times between the guy and Microsoft was that incredibly omg off the wall hold the phone long.

@Sidoh: Again, they think for ALL of thier customers and arn't going to potentially make software lose some functionality to again gain a few days of an earlier release.

Like I said it was patched in a timely manner and in an efficient manner. I downloaded and installed the patch and so did the entire hundred zillionjillion that uses Windows. Life goes on.

[iago]

You want something to automate something as crucial as that? PCs make mistakes and when automated are assumed to be correct. User made mistakes may be found easily plus save them the embarassment of releasing a bad patch. The entire world isn't a bunch of Linux fanboys sitting around open source, Microsoft is a corperation which needs to satisfy all of it's customers and it makes the best decisions availible buisness wise. I doubt they are going to sacrafice the way they test for a few days (yes a few) of an earlier release. It's not like the patch times between the guy and Microsoft was that incredibly omg off the wall hold the phone long.

I'd trust a computer to test every possibility much sooner than I'd trust a human.  You're right, the world ISN'T a bunch of Linux fanboys sitting around, and humans WON'T find every bug, which is why every path should be exercised, and the only way that's going to happen is with a computer doing it.  As you said, there are dozens of versions, and hundreds of paths involving that code, so do you really expect a human to be able to enumerate all of those better than a computer?  I doubt it. 

Like I said it was patched in a timely manner and in an efficient manner. I downloaded and installed the patch and so did the entire hundred zillionjillion that uses Windows. Life goes on.

Except for the people whose computers got screwed up in the 2 week gap because of Viruses.  And the companies that lost money because their computers were down due to this.  Except people who had information stolen or otherwise abused by malicious hackers with the exploit code.  In the 2 weeks while there was no patch, everybody in the world was a sitting duck.  While Microsoft was waiting for their patch cycle (Microsoft employees had a patch for it a week before they actually released it), people were being exploited and infected because Microsoft doesn't want to make it look like they release too many patches.  God forbid they keep their customers SAFE. 

[Warrior]

Since Humans won't find all bugs I would have a bug nested in the bug testing software which automates the testing. I'm sure however they did use some automation in some areas but leaving it to something to automate the testing is pretty silly.

The information about the patch was fully disclosed and Microsoft patched it within two weeks and ahead of schedule which is a lot to say for the severity of the exploit as explained before. Like with every exploit, people are going to get hurt by it there is nothing stopping that. That guy released a patch along with some other companies, I disagree with Microsoft discouraging the use of them. They work until Microsoft officially released thier patch in which case those applied patches should be uninstalled.

[Chavo]

I disagree with Microsoft discouraging the use of them.

I don't necessarily agree or disagree with whether they should have discouraged it, but its not like its MS being evil, just about any non company that is out for a profit will say the same thing for CYA.

[iago]

Since Humans won't find all bugs I would have a bug nested in the bug testing software which automates the testing. I'm sure however they did use some automation in some areas but leaving it to something to automate the testing is pretty silly.

The information about the patch was fully disclosed and Microsoft patched it within two weeks and ahead of schedule which is a lot to say for the severity of the exploit as explained before. Like with every exploit, people are going to get hurt by it there is nothing stopping that. That guy released a patch along with some other companies, I disagree with Microsoft discouraging the use of them. They work until Microsoft officially released thier patch in which case those applied patches should be uninstalled.

Because the testing software would probably be a few hundred lines, maybe a couple thousand, and Windows NT is 40,000,000 lines.  I think I'd trust the testing program to test 40 million lines before I'd trust a human to check 40 million. 

Microsoft left their users vulnerable for 2 weeks to test a 1-line patch.  I stand by the fact that there's no way it should have taken that long, unless they're trying each and every version of Windows individually, which would be dumb, as I already said. 

[Warrior]

It isn't checked all at once after it's done (Windows NT) it is tested component by component as it is written. Divide+Conquer type thing.

Now I think thier patch was a little bit more elaborate than one line since it was stated that there were differences between that guy's and Microsoft's which required the user to uninstall that and install the official one since they did some things differently. Of course they didn't test on all platforms one after the other, rather all at once using different teams. Once they saw the situation was getting out of hand and thier own patch leaked, they released it ahead of time.

Do you think Microsoft reads the security sites where information is disclosed? I doubt it the find the source of it themsevles THEN patch it which I would be able to see why there was a 2 week window in the development and release.

[iago]

It should be checked all at once, that's what I've been saying this whole thread.  If it's not, then they're dumb. 

Yes, of course they read security sites.  If they don't, they're dumb.

[Ergot]

They missed http://it.slashdot.org/article.pl?sid=06/01/10/2230212&from=rss