North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IBM report reviews Internet crime

  • From: Owen DeLong
  • Date: Tue Feb 12 17:25:23 2008

On Feb 12, 2008, at 11:46 AM, Florian Weimer wrote:

* Owen DeLong:

If the vulnerability cannot be corrected through a vendor patch, then,
one has to wonder what, exactly the vulnerability is.

You assume that a vendor patches a vulnerability once they learn about
it. In my experience, this is not true. Sometimes it's easy to explain
(product or vendor ceased to exist), sometimes it's not (some cross- site
scripting issues I'm trying to straighten out; minor bugs to you
perhaps, but huge media exposure because of their visibility and
reproducibility--think FDIV bug).

No, I presume that a vulnerability identified as "cannot be resolved through
vendor patch" means a vulnerability for which, even if a vendor patch were
available, it would not resolve the vulnerability. A vulnerability for which
a patch is not yet available, but, which could be resolved if the vendor
released a patch is a vulnerability which "CAN be resolved through
vendor patch when one becomes available."

It is unclear from the text provided which of our conflicting definitions for
the term applies in IBM's text.