lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <442977C4.3060809@kc.rr.com>
Date: Tue Mar 28 18:51:36 2006
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Security Alert: Unofficial IE patches appear
	on internet

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

n3td3v wrote:
> Security Alert:
> Microsoft who wait for a "Patch Tuesday" to release software solutions
> for critical bugs are creating a world of opportunity for hackers to
> take advantage of the situation. Not only do unofficial patches allow
> script kids to patch systems, but it allows for phishing of malcious
> fake patches (phishing) to appear on web, which may comtain further evil
> code unrelated to the initial flaw...
[snip]
> Lastly, we stress Microsoft again to solve the trend of third party
> patches with all its side effects and security threats attached to it by
> releasing patches before a "Patch Tuesday" for critical flaws.

Newsflash, idiot: you're not the first one to think of this.  Plenty of
people at Microsoft beat you to the punch.  When the threat environment
created by a vulnerability is as serious as this case and the available
code-independent workarounds (i.e., other than patches) are so poor,
Microsoft will be inclined strongly against holding on to this patch.

I'd venture to bet that Microsoft will make this patch available as soon
as they're confident in the quality of it.  Their first patch day is, at
this point, nothing more than a benchmark.  They might beat it but they
almost certainly won't fall short of it unless there are major quality
issues.

The other thing that you obviously have no clue of is that even a
release on patch Tuesday is "out-of-cycle" as far as Microsoft's test
processes are concerned.  Microsoft normally issues IE patches on a two
month cycle -- February, April, June, August, October, December.

You can bet that they don't release patches for non-public
vulnerabilities with a mere 20 days of testing (and that assumes they
started on the patch the day the issue was published).  When I reported
a vulnerability in August that was (originally) scheduled for a
bulletin, Microsoft said that if it made a bulletin, the earliest would
be December.  That was just shy of four months, and they weren't even
certain it would make that release cycle.  Microsoft doesn't have that
kind of time here, and it's a damn sure bet that they aren't taking it.

Some good documentation on Microsoft's patch development processes (and
how they vary for products) would help you avoid this ignorant and
noobish mistake and put an end to ignorant media reporting about how
Microsoft is sticking to its schedule with this patch -- which couldn't
be much further from the truth.

I guess it's easier to bash Microsoft for made-up, delusional reasons
like "they're standing and watching while people get 0wn3d!" than for
the real reasons (i.e., a six-month "standard procedure" patch process).
Those in the latter category actually require some work to understand,
and apparently don't give people the instant ego boost of thinking
they're "taking on the monopoly".

If you want people to take you seriously, you should try sticking to
facts.  If you're seen as another wolf-crier preaching about how
Microsoft is Satan (which you are, as far as I'm concerned), you will
quickly lose credibility.  That is, of course... assuming there was
credibility to lose.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFEKXfEfp4vUrVETTgRAzg8AKCEwQHzHdvGwnpJJQZ2tp0N2tyEYACgiXku
u/x2zbhvAWFHS/gINWaP+N8=
=YUtJ
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060328/6ad3eb82/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ