[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3a166c090603281046l5b74ef3fwb621c5bedab0bae2@mail.gmail.com>
Date: Tue Mar 28 19:46:33 2006
From: n3td3v at gmail.com (n3td3v)
Subject: Security Alert: Unofficial IE patches appear on
internet
On 3/28/06, Matthew Murphy <mattmurphy@...rr.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
>
> Newsflash, idiot: you're not the first one to think of this. Plenty of
> people at Microsoft beat you to the punch. When the threat environment
> created by a vulnerability is as serious as this case and the available
> code-independent workarounds (i.e., other than patches) are so poor,
> Microsoft will be inclined strongly against holding on to this patch.
Matthew firstly starts off his rant by claiming n3td3v is an idiot and then
uses some clever words to talk about something thats not entirely clear, but
I guess what he is trying to say is hidden inbetween his wording.
I'd venture to bet that Microsoft will make this patch available as soon
> as they're confident in the quality of it. Their first patch day is, at
> this point, nothing more than a benchmark. They might beat it but they
> almost certainly won't fall short of it unless there are major quality
> issues.
You would venture to bet? Theres no betting involved. They do only release a
patch after Q.A testing. Although they can in certain situations bring
forward a patch sooner. Its not about beating a patch day. Microsoft often
have patches ready but wait for the corporate known about Tuesday and
Thursday press release days that all corporations globally adhere to in the
world of security and otherwise.
The other thing that you obviously have no clue of is that even a
> release on patch Tuesday is "out-of-cycle" as far as Microsoft's test
> processes are concerned. Microsoft normally issues IE patches on a two
> month cycle -- February, April, June, August, October, December.
The other thing I "obviously" have no clue about? There you go on assuming
my knowledge base, even though i've been around the security scene longer
than you. Sure, Microsoft have a "comfortable" release cycle, although thats
just to space everything out in their minds as a corporation. Remember the
days before Microsoft started patch tuesday? Yeah, they would release
critical patches whenever they see fit. To me the mistake was that they
started "Patch Tuesday", so as a corporation, even though its a good thing
for normal bug fixes to be issues only once monthly, it makes it harder for
Microsoft to release a patch out of cycle for "critical flaws". You seem to
think theres not employees at Microsoft who don't want to release patches
inbetween patch tuesday. You're wrong, behind the scenes at Microsft right
now theres loads of people saying, "we want to release inbetween patch
tuesday for critical flaws, but because we've invented patch tuesday for
flaws generally, the more we do release patches inbeween patch tuesday, the
more it weakness to our patch tuesday policy" "We think patch tuesday is
good, but it restricts us to push out patches inbetween that, because we
want to keep credibility to our patch release day for all other flaws". So
you see, its not that Microsoft don't agree with out of cycle patch
releases, its just they don't want to spoil their overall patch tuesday
policy. Microsoft don't like to send out mixed messages, so until the higher
folks at MS start listening, then patch tuesday will continue to pose a
threat for when critical remote access flaws come along.
You can bet that they don't release patches for non-public
> vulnerabilities with a mere 20 days of testing (and that assumes they
> started on the patch the day the issue was published). When I reported
> a vulnerability in August that was (originally) scheduled for a
> bulletin, Microsoft said that if it made a bulletin, the earliest would
> be December. That was just shy of four months, and they weren't even
> certain it would make that release cycle. Microsoft doesn't have that
> kind of time here, and it's a damn sure bet that they aren't taking it.
We're not talking about non-public flaws! I'm talking about 0-day that goes
into the wild, where exploit code is then release, and where media hype is
created and then eeye and the others create a bigger security issue than the
intial flaw.
Some good documentation on Microsoft's patch development processes (and
> how they vary for products) would help you avoid this ignorant and
> noobish mistake and put an end to ignorant media reporting about how
> Microsoft is sticking to its schedule with this patch -- which couldn't
> be much further from the truth.
Microsoft are about to relase out of its cycle again for this IE
vulnerability, accroding to my contacts.The patch tuesday policy is only
just a new thing, they would before release a patch at any time of their
choosing. Because of patch tuesday, it now makes it more difficult for them
to break this, as you would know if you had worked for a multinational
before, they don't like to backtrack on a policy which is more than
acceptable for non critical flaws, its only the issues of critical flaws
hitting the wild, where exploit code is released, where media hype is
created and then where folks like eeye release a patch, which will only ever
be avaiable to the security community and all of its malicious users, where
script kids can patch systems for their own evil agendas, and or also
seperate, phishers can release bogus eeye patches, or release a patch under
another name with malicious code inserted, a lot of the time to execute
another malicious code, unrelated to the intial exploit code vulnerability.
I guess it's easier to bash Microsoft for made-up, delusional reasons
> like "they're standing and watching while people get 0wn3d!" than for
> the real reasons (i.e., a six-month "standard procedure" patch process).
> Those in the latter category actually require some work to understand,
> and apparently don't give people the instant ego boost of thinking
> they're "taking on the monopoly".
NO, i'm not anti-Microsoft, lots of my friends work there. The only evil is
folks like eEye providing tools (patches) to the security community, where
legitimate users will never get a hold of, but you can bet malicious users
will and use the patch to their advantage.
Microsoft only ever releases out of its new patch tuesday cycle when eeye
and all the others release third party patches. If you really were pro
Microsoft, you would be behind me in calling for all third party patches to
be slammed as a bad thing for Microsoft and the security community and the
public at large. Theres folks at Microsoft in complete agreement at what i'm
saying. Who agree, like me, that patch tuesday is a good thing normally, but
as soon as the evil third patches are released, then Microsoft has no choice
but to release out of cycle.
If you had contacts at Microsoft like I do, you would realise everything i'm
saying is in line with what individuals within ms are thinking.
Patch Tuesday = Good before third party patches appear
Third party patch = Evil
Patch Tuesday = Bad for everyone after third party patches appear, even
Microsoft, because they hate breaking out of the Patch Tuesday policy, even
though a lot of athe time a patch is ready for distrubution, Microsoft don't
want to break out of company policy, even though indviduals at Micrsoft wish
it was easier for a multinational to backtrack on its policy for critical
*public 0-day*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060328/eb43c664/attachment.html
Powered by blists - more mailing lists