Yeah, I mean…what IS “end of life” / “end of support” other than not patching newly found issues, after long enough? Not enough info in the article to indicate any kind of bait and switch or annoyingly short support window, and the support window didn’t end recently either. Seems pretty reasonable TBH.
Then again it’s a lot of vulnerable devices, and doesn’t sound like too hard of a fix. But for all I know they’ve dismantled their tooling for testing patches on those devices, etc. Would be nice if they addressed it, but I can’t exactly condemn them for not.
It looks like they just didn’t neutralize/sanitize controllable input data so it should be a pretty easy fix. I think if a security researcher gives you a layup by identifying an easily fixable vulnerability a company should just take it, even if the product is old. If for no other reason than it’s bad marketing when news articles like this come out.
Yeah, I know what you mean, and yep it looked like just input sanitization on a very specific thing. I don’t disagree, headlines being headlines, and even just broad benefit vs. overall level of effort seems pretty positive to me from an outsider’s perspective.
But then again, issuing a firmware update is also an implicit guarantee that no (unrelated) functionality will degrade, which really needs a degree of testing in order to be a responsible business decision. And then on the optics side, I can see there being a benefit to a hard line in the sand regarding EOL, vs getting into the weeds of determining on a case by case basis what merits violating their own policy, and all the implications such granular judgment calls would entail (although they and all others probably must do something similar, to some degree).
Idk, I don’t own much or any of their stuff these days, no real skin in the game, nor do I have any particularly relevant info or opinions on the company. Just rambling lol.
Yeah, I mean…what IS “end of life” / “end of support” other than not patching newly found issues, after long enough? Not enough info in the article to indicate any kind of bait and switch or annoyingly short support window, and the support window didn’t end recently either. Seems pretty reasonable TBH.
Then again it’s a lot of vulnerable devices, and doesn’t sound like too hard of a fix. But for all I know they’ve dismantled their tooling for testing patches on those devices, etc. Would be nice if they addressed it, but I can’t exactly condemn them for not.
It looks like they just didn’t neutralize/sanitize controllable input data so it should be a pretty easy fix. I think if a security researcher gives you a layup by identifying an easily fixable vulnerability a company should just take it, even if the product is old. If for no other reason than it’s bad marketing when news articles like this come out.
Yeah, I know what you mean, and yep it looked like just input sanitization on a very specific thing. I don’t disagree, headlines being headlines, and even just broad benefit vs. overall level of effort seems pretty positive to me from an outsider’s perspective.
But then again, issuing a firmware update is also an implicit guarantee that no (unrelated) functionality will degrade, which really needs a degree of testing in order to be a responsible business decision. And then on the optics side, I can see there being a benefit to a hard line in the sand regarding EOL, vs getting into the weeds of determining on a case by case basis what merits violating their own policy, and all the implications such granular judgment calls would entail (although they and all others probably must do something similar, to some degree).
Idk, I don’t own much or any of their stuff these days, no real skin in the game, nor do I have any particularly relevant info or opinions on the company. Just rambling lol.