disco jonny wrote: > its quite simple - they find vulns x, y, z, in app 1 then when they > release a pacth for vulns a, b, c (all reported to them from outside > sources) then they also fix xyz. - see my previous two mails.
And just to clarify a bit further, you _occasionally_ also see cases where MS internal processes discovered a bug _which is_ documented in the security bulletin for the a, b, and c-type patches. This (the documentation of what would normally be a silent patch for an MS internally discovered vuln) apparently occurs, I think, for one of two reasons -- the patch produces some change in program behaviour which must be documented, or there have been reports of what turns out to the be this vuln being exploited in the field post-discovery and pre- patch-release. Careful reading of many MS security bulletins will turn up a small number of examples of both these cases. Dredging those archives to find any of these is left as an exercise for any concerned readers... Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
