lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200401101557.i0AFvi0H008010@cuba.globat.com>
From: mvp at joeware.net (Joe)
Subject: 3 new MS patches next week... but none fix

MS does beta test fixes, some companies could be on that beta test program.
However, I really highly doubt MS is documenting specific bug issues they
are generating fixes for and the details of those fixes and selling it to
companies as that would be a huge liability issue. That would ultimately get
out and damage MS and no matter how much people hate MS, they didn't get to
where they are by being outright stupid. I realize there isn't anything that
can be said to someone who has a differing opinion. It is like the Pete Rose
and the Hall of Fame question, some people think he should be in, some
people don't; you can't convince either side otherwise.

Most likely what the guy is selling (or trying to sell) is some sort of
IDS/network system that grabs the problem packets before they get to the
server's application layer to do damage. Companies like eEye have been doing
this for a long time - have a predefined "these packets are within our
tolerances" baseline and then anything that is outside of it gets squished.
It is actually a good idea (I think) for any machine publicly exposed. You
define the traffic you are willing to take including request lengths, etc
for various ports/protocols and anything outside of that gets dropped and an
error is generated. Maybe it is a new way to access a new app on the box,
maybe it is a new attack style. Either way if say that HTTP request is
composed of more than say x bytes, the http daemon never sees it. 

If the company had a real patch that they developed from detailed purchased
info from MS I think the patch wouldn't be called virtual and it would
violate the crap out of whatever license they have with MS to get that info
in the first place. Hell a company with a good firewall product could call
that virtual patching... You run our product and you are virtually patched
from all of these attack vectors and never have to install the official
MS/Linux/BSD/Solaris/??/Cray specific patch unless you want to. 

The huge liability hole I would see is say some company buys that info MS
allegedly publishes, generates some attack code and robs some company or
government blind with it. If the info came out that the data concerning how
to compromise that hole came straight from MS without MS first providing a
publicly available patch I could visualize a slew of lawyers descending and
claiming MS was an accomplice. 


  joe

 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Tim
Sent: Friday, January 09, 2004 11:44 PM
To: Randal, Phil
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] 3 new MS patches next week... but none fix


A certain very large vendor has been trying to court my company, and during
small talk over lunch, we mentioned we were very busy with the M$ patch
batch of the month.  In a little mum's-the-word response, the vendor
representative implied that they could make that problem "go away" with
something they called "virtual patches", which he was quite smug about.  I
was very confused at first, as he didn't appear to be trying to sell a
specific product, but when I ran the conversation back through my mind, I
realized that M$ must be giving pre-release information to major vendors.
Probably for a heafty price tag.

This is sickening to me.  M$ likely is making money off of their own
liability.  This is very similar to the bullshit trick the ISC has been
pulling with BIND.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ