| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Mar 29 17:49:28 2006 From: i.m.crazy.frog at gmail.com (crazy frog crazy frog) Subject: Security Alert: Unofficial IE patches appear oninternet groundzero, why u keep replying?kindly ignore such stuff. On 3/29/06, n3td3v <n3td3v@...il.com> wrote: > > On 3/29/06, GroundZero Security <fd@....org> wrote: > > > > > > Oh shut up i thought you have unsubscribed from this list ? > > You claim that your imaginary people work for microsoft, > > so why dont you simply tell them to act up instead of > > annoying everyone here on FD. Stop pretending and get lost. > > > > "Imaginary and pretending"... I like that one. > > > > > > > > > Inofficial patches are not evil no matter what you think about them. > > You have no clue anyway....do you even know what a patch is ? > > Unofficial patches are just ment as initial help until a proper patch > > is out, not for mission critical systems. Microsoft needs time to > > develope a proper patch as they can't simply throw together a patch, > > but also have to test if it wont break any existing software etc as > > windows is so windely used on tons of different platforms and along > > with so many Software products, that they have to make sure its all > > stable. Sure they cant always have perfect results, but if you have > > to bitch so much about it, why dont you write a proper patch? > > > > oh yes i forgot, you can't code.......' > > > > You should hear yourself. You say you've been around since 1994 but you > ramble some spit about basic knowledge about "all platforms need to be > tested". Yeah, we all know this, like this is FD, we all have expertise in > this field. > > > > > > > > > > > Another funny thing you said to someone: > > > > "There you go on assuming my knowledge base, even though i've > > been around the security scene longer than you." > > > > > > Well i remember your old mails where you bragged about having > > +6 years expirience in the security field. so you came around > > 1999/2000 ..i started in 1994, so i can lay down the same attitude > > > > To be honest I DON'T care when you started, but you don't come across as > someone who has worked in the industry since 1994, far from it. Maybe you > should look at your own performance on FD, before you start bashing the > n3td3v security group and the founder. > > > > > > > > > on you kiddie, isnt it? Besides of that, it doesnt matter if you hang > > on irc since 20 years, it matters what you did in that time. > > > > IRC? You're having a laugh right... > > > > > > > > Others learn and improove, while you just try to look cool with your > > imaginary group, yet you still expect that someone takes you serious here. > > > > You seem to think a handful of trolls on FD (you) bashing the n3td3v group > is representative of anything credible. > > > ----- Original Message ----- > > > > > > From: n3td3v > > To: full-disclosure@...ts.grok.org.uk > > > > Sent: Tuesday, March 28, 2006 8:46 PM > > Subject: Re: [Full-disclosure] Security Alert: Unofficial IE patches > appear oninternet > > > > > > > > On 3/28/06, Matthew Murphy <mattmurphy@...rr.com > wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: RIPEMD160 > > > > > > > > > Newsflash, idiot: you're not the first one to think of this. Plenty of > > > people at Microsoft beat you to the punch. When the threat environment > > > created by a vulnerability is as serious as this case and the available > > > code-independent workarounds (i.e., other than patches) are so poor, > > > Microsoft will be inclined strongly against holding on to this patch. > > > > > > Matthew firstly starts off his rant by claiming n3td3v is an idiot and > then uses some clever words to talk about something thats not entirely > clear, but I guess what he is trying to say is hidden inbetween his wording. > > > > > I'd venture to bet that Microsoft will make this patch available as soon > > > as they're confident in the quality of it. Their first patch day is, at > > > this point, nothing more than a benchmark. They might beat it but they > > > almost certainly won't fall short of it unless there are major quality > > > issues. > > > > > > You would venture to bet? Theres no betting involved. They do only release > a patch after Q.A testing. Although they can in certain situations bring > forward a patch sooner. Its not about beating a patch day. Microsoft often > have patches ready but wait for the corporate known about Tuesday and > Thursday press release days that all corporations globally adhere to in the > world of security and otherwise. > > > > > The other thing that you obviously have no clue of is that even a > > > release on patch Tuesday is "out-of-cycle" as far as Microsoft's test > > > processes are concerned. Microsoft normally issues IE patches on a two > > > month cycle -- February, April, June, August, October, December. > > > > > > > > The other thing I "obviously" have no clue about? There you go on assuming > my knowledge base, even though i've been around the security scene longer > than you. Sure, Microsoft have a "comfortable" release cycle, although thats > just to space everything out in their minds as a corporation. Remember the > days before Microsoft started patch tuesday? Yeah, they would release > critical patches whenever they see fit. To me the mistake was that they > started "Patch Tuesday", so as a corporation, even though its a good thing > for normal bug fixes to be issues only once monthly, it makes it harder for > Microsoft to release a patch out of cycle for "critical flaws". You seem to > think theres not employees at Microsoft who don't want to release patches > inbetween patch tuesday. You're wrong, behind the scenes at Microsft right > now theres loads of people saying, "we want to release inbetween patch > tuesday for critical flaws, but because we've invented patch tuesday for > flaws generally, the more we do release patches inbeween patch tuesday, the > more it weakness to our patch tuesday policy" "We think patch tuesday is > good, but it restricts us to push out patches inbetween that, because we > want to keep credibility to our patch release day for all other flaws". So > you see, its not that Microsoft don't agree with out of cycle patch > releases, its just they don't want to spoil their overall patch tuesday > policy. Microsoft don't like to send out mixed messages, so until the higher > folks at MS start listening, then patch tuesday will continue to pose a > threat for when critical remote access flaws come along. > > > > > You can bet that they don't release patches for non-public > > > vulnerabilities with a mere 20 days of testing (and that assumes they > > > started on the patch the day the issue was published). When I reported > > > a vulnerability in August that was (originally) scheduled for a > > > bulletin, Microsoft said that if it made a bulletin, the earliest would > > > be December. That was just shy of four months, and they weren't even > > > certain it would make that release cycle. Microsoft doesn't have that > > > kind of time here, and it's a damn sure bet that they aren't taking it. > > > > > > > > We're not talking about non-public flaws! I'm talking about 0-day that > goes into the wild, where exploit code is then release, and where media hype > is created and then eeye and the others create a bigger security issue than > the intial flaw. > > > > > Some good documentation on Microsoft's patch development processes (and > > > how they vary for products) would help you avoid this ignorant and > > > noobish mistake and put an end to ignorant media reporting about how > > > Microsoft is sticking to its schedule with this patch -- which couldn't > > > be much further from the truth. > > > > > > Microsoft are about to relase out of its cycle again for this IE > vulnerability, accroding to my contacts.The patch tuesday policy is only > just a new thing, they would before release a patch at any time of their > choosing. Because of patch tuesday, it now makes it more difficult for them > to break this, as you would know if you had worked for a multinational > before, they don't like to backtrack on a policy which is more than > acceptable for non critical flaws, its only the issues of critical flaws > hitting the wild, where exploit code is released, where media hype is > created and then where folks like eeye release a patch, which will only ever > be avaiable to the security community and all of its malicious users, where > script kids can patch systems for their own evil agendas, and or also > seperate, phishers can release bogus eeye patches, or release a patch under > another name with malicious code inserted, a lot of the time to execute > another malicious code, unrelated to the intial exploit code vulnerability. > > > > > I guess it's easier to bash Microsoft for made-up, delusional reasons > > > like "they're standing and watching while people get 0wn3d!" than for > > > the real reasons (i.e., a six-month "standard procedure" patch process). > > > Those in the latter category actually require some work to understand, > > > and apparently don't give people the instant ego boost of thinking > > > they're "taking on the monopoly". > > > > > > > > NO, i'm not anti-Microsoft, lots of my friends work there. The only evil > is folks like eEye providing tools (patches) to the security community, > where legitimate users will never get a hold of, but you can bet malicious > users will and use the patch to their advantage. > > > > Microsoft only ever releases out of its new patch tuesday cycle when eeye > and all the others release third party patches. If you really were pro > Microsoft, you would be behind me in calling for all third party patches to > be slammed as a bad thing for Microsoft and the security community and the > public at large. Theres folks at Microsoft in complete agreement at what i'm > saying. Who agree, like me, that patch tuesday is a good thing normally, but > as soon as the evil third patches are released, then Microsoft has no choice > but to release out of cycle. > > > > If you had contacts at Microsoft like I do, you would realise everything > i'm saying is in line with what individuals within ms are thinking. > > > > Patch Tuesday = Good before third party patches appear > > Third party patch = Evil > > Patch Tuesday = Bad for everyone after third party patches appear, even > Microsoft, because they hate breaking out of the Patch Tuesday policy, even > though a lot of athe time a patch is ready for distrubution, Microsoft don't > want to break out of company policy, even though indviduals at Micrsoft wish > it was easier for a multinational to backtrack on its policy for critical > *public 0-day* > > > > > > > > > > > > ________________________________ > > > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- ting ding ting ding ting ding ting ding ting ding ding i m crazy frog :) "oh yeah oh yeah... another wannabe, in hackerland!!!"
Powered by blists - more mailing lists