On 6/26/07 4:25 PM, "Wall, Kevin" <[EMAIL PROTECTED]> wrote:

I mean, was the fix really rocket science that it had to take THAT LONG??? 
IMHO, no excuse for taking that long.

8 months seems awfully long, but it doesn't surprise me that a big organization 
takes a really long time to get things like this out the door. I have worked 
with a lot of software companies over the years, and few have their entire test 
suite (unit, integration, system, regression) fully automated. It just doesn't 
work that way. People on this list would be just as condemning of a company 
that rushed a fix out the door with inadequate testing and managed to ship a 
new buffer overflow in the fix for an old one. Furthermore, it's not like the 
source code had been sitting idle with no modifications to it. They were surely 
in the middle of a dev cycle where they were adding lots of features and 
testing and so on. They have business priorities to address, since those 
features (presumably) are what bring revenue in the door and keep competitors 
off their market turf.

So, if everyone dropped everything they were doing and focused solely on fixing 
this one issue and doing a full battery of tests until it was release-worthy, 
it would have gone out a lot faster. But a company that did that on every bug 
that was reported would get no features released and go out of business. They 
have to weigh the impact of missing product goals versus the risk of exploits 
of a buffer overflow. I'm not sure we can categorically say (none of us being 
RealNetworks people) that they made the wrong decision. We don't have the 

Paco Hope, CISSP
Technical Manager, Cigital, Inc
http://www.cigital.com/ * +1.703.585.7868
Software Confidence. Achieved.

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to