I have to agree that this bulletin is really lacking. There are organizations that just cannot "do a hot-fix" (DFIU), and the details in this bulletin give us no idea of exposure or a means to verify if we are at a high risk. There have been Adobe patches in the past that we have waited to a regular maintenance window perform because there was little to no risk based on our analysis of the issue.
So, is it really worth the over-time, customer frustration and such to apply a hot-fix, that may or may not fix an issue (because we have not details to verify before or after the fact). Based on the bulletin and lack of detail, I would err on the pessimistic side and fear the most. Byron Mann Lead Engineer & Architect HostMySite.com On Wed, Sep 12, 2012 at 11:32 AM, Judah McAuley <[email protected]> wrote: > > On Tue, Sep 11, 2012 at 7:48 PM, <> wrote: >> >> >>i already read tha adobe bulletin, it doesn't really say much. >> >> I doubt you will ever see details and description about any possible attack. >> It would be too easy for those looking for ideas... > > Publication of details of an attack are pretty common. Good guys will > typically find an attack, alert the people who are in a position to > fix the product(s), wait for them to confirm it and start on a fix and > then publish the details of the attack after the vulnerability patch > has been released. The reason for this is so other researchers (and > people wanting to protect their own systems) have an idea of the types > of issues that a product has been vulnerable to so they can poke > around the edges and see if there are similar issues that may have > been missed, thereby strengthening the overall security of the > product. So, yes, the details are for people looking for ideas but > that includes all the good people as well as the bad guys (tm). > Security through obscurity isn't really security at all. > > cheers, > Judah > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352538 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
