On 6/26/07 4:25 PM, "Wall, Kevin" <[EMAIL PROTECTED]> wrote:
I mean, was the fix really rocket science that it had to take THAT LONG??? IMHO, no excuse for taking that long. 8 months seems awfully long, but it doesn't surprise me that a big organization takes a really long time to get things like this out the door. I have worked with a lot of software companies over the years, and few have their entire test suite (unit, integration, system, regression) fully automated. It just doesn't work that way. People on this list would be just as condemning of a company that rushed a fix out the door with inadequate testing and managed to ship a new buffer overflow in the fix for an old one. Furthermore, it's not like the source code had been sitting idle with no modifications to it. They were surely in the middle of a dev cycle where they were adding lots of features and testing and so on. They have business priorities to address, since those features (presumably) are what bring revenue in the door and keep competitors off their market turf. So, if everyone dropped everything they were doing and focused solely on fixing this one issue and doing a full battery of tests until it was release-worthy, it would have gone out a lot faster. But a company that did that on every bug that was reported would get no features released and go out of business. They have to weigh the impact of missing product goals versus the risk of exploits of a buffer overflow. I'm not sure we can categorically say (none of us being RealNetworks people) that they made the wrong decision. We don't have the information. Paco -- Paco Hope, CISSP Technical Manager, Cigital, Inc http://www.cigital.com/ * +1.703.585.7868 Software Confidence. Achieved. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________