lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed Jan  4 20:24:38 2006
From: jworkman at pimpworks.org (Jeff Workman)
Subject: Unofficial Microsoft patches help hackers,
	not    security

Does "Install this patch immediately!" ring any bells?

-J

--On Wednesday, January 04, 2006 1:56 PM -0600 Todd Towles 
<toddtowles@...okshires.com> wrote:

>
> The experts are just that..experts. How is releasing a patch that cuts
> out a vulnerable function in a DLL going to help attackers?
>
> Example??
>
> Releasing patches helps hackers when exploits don't already exist...but
> in this case, they do already exist. A patch (even from Microsoft) isn't
> going to give hackers/attackers anymore information then they currently
> have and are using.
>
> Attackers RCE microsoft patches all the time, to find the vulnerable
> function and to create exploits. This is true, but in this case..it isn't
> needed.
>
>
>
>
>
> __________________________________________________
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Joe
> Average
> Sent: Wednesday, January 04, 2006 12:33 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] Unofficial Microsoft patches help hackers, not
> security
>
>
>
> It has been said on C|NET/SecurityFocus and other places that "experts"
> are telling people to use unofficial patches, and to make things worse
> the "experts" are releasing patches. You've got to wonder who these
> "experts" are. By releasing unofficial patches, all you're doing is
> aiding the hackers, it doesn't help the situation one little bit for the
> overall picture of protecting Microsoft consumers. The majority of
> consumers aren't getting your unofficial patches, but you can be sure the
> hackers are using them, and using them to their advantage. If these
> unofficial patches weren't being released and experts weren't telling
> people to use them, I wouldn't be calling for Microsoft to bring forward
> the release date for the patch before the end of the week. It's the
> "experts" here who have now made the situation ten times worse, by giving
> their very bad advice and releasing their own unofficial patches.
>
> Well done the experts,
>
> You deserve the title after all
>
> More some more:
> http://n3td3v.blogspot.com
>



--
Jeff Workman | jworkman@...pworks.org | http://www.pimpworks.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ