> - Customers can test for themselves whether a patch works or was applied > correctly.
I think this is a very important point. Customers need to be able to test to see if applying a second, later patch has made them vulnerable to an earlier patched exploit. An example with this worm was where a later patch once again left you vulnerable. How are we to know if we don't have something to test with? We obviously can't trust the vendors, and with the range of different configurations of machines I'm not even sure that's a reasonable requirement of a vendor to test every possible combination. We have beta testers for software, how can we put patch code thru the same sort of tests if we have nothing to test with to see if it's actually patched the systems we run? We may not need code to exploit, but what about code to prove we are patched? Geo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
