lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: jbethune at town.kentville.ns.ca (Jason Bethune)
Subject: Office 2000 Vulnerability

Yes I have seen pirated copies on clients machines that can have SP1 and SP2
applied but it is tricky and not for the novice user. Once SP1 and Sp2 have
been applied it can then be updated fully to all the vulnerabilities. I am
sure there are tons of pirated copies floating around that the usual user
would not have a clue on how to patch them. Whether it is up to m$ to allow
these to be patched is a whole kettle of beans that I will assume they would
say if you don't pay for it then $crew you.



-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Rainer Gerhards
Sent: Wednesday, September 10, 2003 11:49 AM
To: nick@...us-l.demon.co.uk; full-disclosure@...ts.netsys.com
Cc: Andre Lorbach

> > ...  I guess this 
> > means network administrators have a small window of time to 
> start patching 
> > up systems before a virus is released.  Does anyone know of 
> a work around 
> > when updating Office 2000 with an update?  It asks for the 
> original CD that 
> > Office was installed from.  Any thoughts?
> 
> Go get the CD from the software safe??

I can see a number of valid reasons for not having the CD at hand... but
this also raises some other question.

Let's assume someone is using a pirated office version. Or a pirate XP
key. Now Microsoft makes it impossible for those to apply patches. This
seems to be the case. I am not sure if they deny all patches (someone
from MS to comment?). Let's assume they deny providing things like the
DCOM patch or this office patch.

Now, the pirate machine is unpatched, probably becomes infected and thus
is turned into an attacker itself.

There are two ways to look at the root cause:

#1 the user pirated the software and as such is fully responsible for
whatever attack is carried out from his system

OR

#2 Microsoft knew that this system would carry out malicious action (the
denied patching knowingly) and thus is to blame

I would tend to #2, Microsoft should provide critical patches even to
pirate copies, just to make sure its actual customers are not hit by the
pirates, at least not with attacks. Of course, I see there are some good
arguments against this...

Does anybody know of what they actually do? And then the other
vendors...

In short: Is piracy becoming a mainstream source for attacks because
there is a tendency to deny updates to pirates in the industry?

Rainer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ