also having to edit hundreds or possibly thousands of security sandboxes is really not acceptable, not to mention the fact that disabling that function will break many sites, such as those using popular frameworks. This really isn't a very acceptable solution.
On Wed, Sep 12, 2012 at 6:26 PM, Byron Mann <[email protected]> wrote: > > I have to agree that this bulletin is really lacking. > > There are organizations that just cannot "do a hot-fix" (DFIU), and > the details in this bulletin give us no idea of exposure or a means to > verify if we are at a high risk. There have been Adobe patches in the > past that we have waited to a regular maintenance window perform > because there was little to no risk based on our analysis of the > issue. > > So, is it really worth the over-time, customer frustration and such to > apply a hot-fix, that may or may not fix an issue (because we have not > details to verify before or after the fact). > > Based on the bulletin and lack of detail, I would err on the > pessimistic side and fear the most. > > Byron Mann > Lead Engineer & Architect > HostMySite.com > > > > > On Wed, Sep 12, 2012 at 11:32 AM, Judah McAuley <[email protected]> > wrote: > > > > On Tue, Sep 11, 2012 at 7:48 PM, <> wrote: > >> > >> >>i already read tha adobe bulletin, it doesn't really say much. > >> > >> I doubt you will ever see details and description about any possible > attack. > >> It would be too easy for those looking for ideas... > > > > Publication of details of an attack are pretty common. Good guys will > > typically find an attack, alert the people who are in a position to > > fix the product(s), wait for them to confirm it and start on a fix and > > then publish the details of the attack after the vulnerability patch > > has been released. The reason for this is so other researchers (and > > people wanting to protect their own systems) have an idea of the types > > of issues that a product has been vulnerable to so they can poke > > around the edges and see if there are similar issues that may have > > been missed, thereby strengthening the overall security of the > > product. So, yes, the details are for people looking for ideas but > > that includes all the good people as well as the bad guys (tm). > > Security through obscurity isn't really security at all. > > > > cheers, > > Judah > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352562 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
