Patching a broken Windows - dslreports.com

Author	All Replies
Cudni La Merma - Vigilado Premium,MVM join:2003-12-20 Someshire	Patching a broken Windows from »www.securityfocus.com/columnists/378 ".. Robert Lemos interviews Datarescue's senior software developer Ilfak Guilfanov, the creator of the unofficial patch for the flaw in the Windows Meta File format that saw tens of thousands of downloads prior to the official patch release by Microsoft. Guilfanov explains why he decided to issue a patch for the vulnerability, how he created the patch, and his thoughts on whether third-party patches are generally a good thing. .. Was the patch hard to create? Guilfanov: It took around 6 hours to develop the fix starting from scratch. I downloaded and studied the WMF format description, found an exploit and understood how it works. The last step was to write the fix and test it on my computers. ... Considering the response and your own thoughts, would you ever write a patch again? Under what circumstances? Guilfanov: While the response is much more favorable than I expected, I prefer not to have any reasons to write a hotfix. Not this time, neither in the future. In the ideal world the vulnerabilities do not exist, second to ideal is to have patches created by the vendor as soon as possible. Given the impossibility of the first option, let's strive for the second one. ..." Cudni -- Some are born to failure, others achieve it, all deserve it Help yourself so God can help you
	to forum · permalink · · 2006-01-10 11:51:22 ·
jack b Gone Fishing Premium,MVM join:2000-09-08 Cape Cod clubs:	Nice. It could be called "A day in the life of a Very humble programmer".
	to forum · permalink · · 2006-01-10 13:15:27 ·
EGeezer Go Bobcats Premium join:2002-08-04 Country! ·Callcentric ·RoadRunner Cable ·AT&T CallVantage	Or, conversation with a real professional. I'm impressed with his analysis, responses and attitude. This answer puts forth a great position(bolding mine) - Do you think that patches that are not created by the software's developer should be installed as a general rule? Guilfanov: As a general rule, they should not be applied. Can third parties be trusted? Do they have the testing resources of the vendor? The current situation was, in my perception, a bit different. First there was the danger, then I saw a relatively simple and clean, risk free fix. My intention was not to impose it on anyone, but I found this an interesting topic for my blog (that's why source code was immediately posted) and I felt this was important from a trust point of view. If I could help my knowledgeable audience - who could do their own testing, why not? People are posting exploits all the time, why not post a solution for a change? -- In Memoriam -NRK 1 FEB 1918 - 6 NOV 2005B-17 pilot -50 missions over Europe and North Africa - 347th Squadron, 99th Bomb Group - Husband, Father, Grandfather, Great Grandfather, friend --- A knight and gentleman gone to peace
	to forum · permalink · · 2006-01-10 13:36:59 ·


Thursday, 10-Dec 03:01:27	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF