Re: IBM report reviews Internet crime

North American Network Operators Group

Re: IBM report reviews Internet crime

From: Owen DeLong
Date: Tue Feb 12 17:25:23 2008

On Feb 12, 2008, at 11:46 AM, Florian Weimer wrote:

* Owen DeLong:

If the vulnerability cannot be corrected through a vendor patch, then, one has to wonder what, exactly the vulnerability is.
You assume that a vendor patches a vulnerability once they learn about it. In my experience, this is not true. Sometimes it's easy to explain (product or vendor ceased to exist), sometimes it's not (some cross- site scripting issues I'm trying to straighten out; minor bugs to you perhaps, but huge media exposure because of their visibility and reproducibility--think FDIV bug).

No, I presume that a vulnerability identified as "cannot be resolved through vendor patch" means a vulnerability for which, even if a vendor patch were available, it would not resolve the vulnerability. A vulnerability for which a patch is not yet available, but, which could be resolved if the vendor released a patch is a vulnerability which "CAN be resolved through vendor patch when one becomes available."

It is unclear from the text provided which of our conflicting definitions for the term applies in IBM's text.

Owen

Follow-Ups:
- Re: IBM report reviews Internet crime Florian Weimer

References:
- IBM report reviews Internet crime michael.dillon
- Re: IBM report reviews Internet crime Owen DeLong
- Re: IBM report reviews Internet crime Florian Weimer

Prev by Date: Re: IBM report reviews Internet crime
Next by Date: Re: Level 3, again
Date Index
Thread Index
Author Index
Historical