On Jun 8, 12:33pm, Tey Wei Ming wrote:
} Subject: Re: nt firewall
} > See inline comments ...
} well, my experience with vendors (unix or not) don't seem to show many are
} willing to admit mistakes. chances are problems are reported by the users
} rather than vendors.
In general, CERT doesn't issue an advisory until the vendor(s) have
a patch or workaround that CERT can publish in the advisory, so that
owners of the affected machines can take steps to protect themselves.
Otherwise, the advisory would only increase the number of people who
could exploit the problem without giving most machine owners (the
non-experts and those without access to the necessary source code)
the means to protect themselves.
Since I consider myself an "expert", I'm not always well served by
this policy, since there have been cases where security holes have
become fairly widely known and my vendors have not released patches
in a timely manner, but there were still steps I would be able to
take to protect myself if I knew there was a problem. I do take
steps beyond just following CERT advisories to keep myself informed.
I suspect that most of these problems have been uncovered by third
parties and reported to either CERT or the vendor(s) instead of being
first discovered by the vendors.