| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mvp at joeware.net (Joe) Subject: 3 new MS patches next week... but none fix MS does beta test fixes, some companies could be on that beta test program. However, I really highly doubt MS is documenting specific bug issues they are generating fixes for and the details of those fixes and selling it to companies as that would be a huge liability issue. That would ultimately get out and damage MS and no matter how much people hate MS, they didn't get to where they are by being outright stupid. I realize there isn't anything that can be said to someone who has a differing opinion. It is like the Pete Rose and the Hall of Fame question, some people think he should be in, some people don't; you can't convince either side otherwise. Most likely what the guy is selling (or trying to sell) is some sort of IDS/network system that grabs the problem packets before they get to the server's application layer to do damage. Companies like eEye have been doing this for a long time - have a predefined "these packets are within our tolerances" baseline and then anything that is outside of it gets squished. It is actually a good idea (I think) for any machine publicly exposed. You define the traffic you are willing to take including request lengths, etc for various ports/protocols and anything outside of that gets dropped and an error is generated. Maybe it is a new way to access a new app on the box, maybe it is a new attack style. Either way if say that HTTP request is composed of more than say x bytes, the http daemon never sees it. If the company had a real patch that they developed from detailed purchased info from MS I think the patch wouldn't be called virtual and it would violate the crap out of whatever license they have with MS to get that info in the first place. Hell a company with a good firewall product could call that virtual patching... You run our product and you are virtually patched from all of these attack vectors and never have to install the official MS/Linux/BSD/Solaris/??/Cray specific patch unless you want to. The huge liability hole I would see is say some company buys that info MS allegedly publishes, generates some attack code and robs some company or government blind with it. If the info came out that the data concerning how to compromise that hole came straight from MS without MS first providing a publicly available patch I could visualize a slew of lawyers descending and claiming MS was an accomplice. joe -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Tim Sent: Friday, January 09, 2004 11:44 PM To: Randal, Phil Cc: full-disclosure@...ts.netsys.com Subject: Re: [Full-Disclosure] 3 new MS patches next week... but none fix A certain very large vendor has been trying to court my company, and during small talk over lunch, we mentioned we were very busy with the M$ patch batch of the month. In a little mum's-the-word response, the vendor representative implied that they could make that problem "go away" with something they called "virtual patches", which he was quite smug about. I was very confused at first, as he didn't appear to be trying to sell a specific product, but when I ran the conversation back through my mind, I realized that M$ must be giving pre-release information to major vendors. Probably for a heafty price tag. This is sickening to me. M$ likely is making money off of their own liability. This is very similar to the bullshit trick the ISC has been pulling with BIND.
Powered by blists - more mailing lists