lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <41011d980603290849y6c1c462en49861e070b05fbd0@mail.gmail.com>
Date: Wed Mar 29 17:49:28 2006
From: i.m.crazy.frog at gmail.com (crazy frog crazy frog)
Subject: Security Alert: Unofficial IE patches appear
	oninternet

groundzero,
why u keep replying?kindly ignore such stuff.

On 3/29/06, n3td3v <n3td3v@...il.com> wrote:
>
> On 3/29/06, GroundZero Security <fd@....org> wrote:
> >
> >
> > Oh shut up i thought you have unsubscribed from this list ?
> > You claim that your imaginary people work for microsoft,
> > so why dont you simply tell them to act up instead of
> > annoying everyone here on FD. Stop pretending and get lost.
>
>
>
> "Imaginary and pretending"... I like that one.
>
> >
> >
> >
> > Inofficial patches are not evil no matter what you think about them.
> > You have no clue anyway....do you even know what a patch is ?
> > Unofficial patches are just ment as initial help until a proper patch
> > is out, not for mission critical systems. Microsoft needs time to
> > develope a proper patch as they can't simply throw together a patch,
> > but also have to test if it wont break any existing software etc as
> > windows is so windely used on tons of different platforms and along
> > with so many Software products, that they have to make sure its all
> > stable. Sure they cant always have perfect results, but if you have
> > to bitch so much about it, why dont you write a proper patch?
> >
> > oh yes i forgot, you can't code.......'
>
>
>
> You should hear yourself. You say you've been around since 1994 but you
> ramble some spit about basic knowledge about "all platforms need to be
> tested". Yeah, we all know this, like this is FD, we all have expertise in
> this field.
>
>
>
> >
> >
> >
> > Another funny thing you said to someone:
> >
> > "There you go on assuming my knowledge base, even though i've
> > been around the security scene longer than you."
> >
> >
> > Well i remember your old mails where you bragged about having
> > +6 years expirience in the security field. so you came around
> > 1999/2000 ..i started in 1994, so i can lay down the same attitude
>
>
>
> To be honest I DON'T care when you started, but you don't come across as
> someone who has worked in the industry since 1994, far from it. Maybe you
> should look at your own performance on FD, before you start bashing the
> n3td3v security group and the founder.
>
>
>
> >
> >
> > on you kiddie, isnt it? Besides of that, it doesnt matter if you hang
> > on irc since 20 years, it matters what you did in that time.
>
>
>
> IRC? You're having a laugh right...
>
>
> >
> >
> > Others learn and improove, while you just try to look cool with your
> > imaginary group, yet you still expect that someone takes you serious here.
>
>
>
> You seem to think a handful of trolls on FD (you) bashing the n3td3v group
> is representative of anything credible.
>
>
> ----- Original Message -----
> >
> >
> > From: n3td3v
> > To: full-disclosure@...ts.grok.org.uk
> >
> > Sent: Tuesday, March 28, 2006 8:46 PM
> > Subject: Re: [Full-disclosure] Security Alert: Unofficial IE patches
> appear oninternet
> >
> >
> >
> > On 3/28/06, Matthew Murphy <mattmurphy@...rr.com > wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: RIPEMD160
> > >
> > >
> > > Newsflash, idiot: you're not the first one to think of this.  Plenty of
> > > people at Microsoft beat you to the punch.  When the threat environment
> > > created by a vulnerability is as serious as this case and the available
> > > code-independent workarounds (i.e., other than patches) are so poor,
> > > Microsoft will be inclined strongly against holding on to this patch.
> >
> >
> > Matthew firstly starts off his rant by claiming n3td3v is an idiot and
> then uses some clever words to talk about something thats not entirely
> clear, but I guess what he is trying to say is hidden inbetween his wording.
> >
> > > I'd venture to bet that Microsoft will make this patch available as soon
> > > as they're confident in the quality of it.  Their first patch day is, at
> > > this point, nothing more than a benchmark.  They might beat it but they
> > > almost certainly won't fall short of it unless there are major quality
> > > issues.
> >
> >
> > You would venture to bet? Theres no betting involved. They do only release
> a patch after Q.A testing. Although they can in certain situations bring
> forward a patch sooner. Its not about beating a patch day. Microsoft often
> have patches ready but wait for the corporate known about Tuesday and
> Thursday press release days that all corporations globally adhere to in the
> world of security and otherwise.
> >
> > > The other thing that you obviously have no clue of is that even a
> > > release on patch Tuesday is "out-of-cycle" as far as Microsoft's test
> > > processes are concerned.  Microsoft normally issues IE patches on a two
> > > month cycle -- February, April, June, August, October, December.
> >
> >
> >
> > The other thing I "obviously" have no clue about? There you go on assuming
> my knowledge base, even though i've been around the security scene longer
> than you. Sure, Microsoft have a "comfortable" release cycle, although thats
> just to space everything out in their minds as a corporation. Remember the
> days before Microsoft started patch tuesday? Yeah, they would release
> critical patches whenever they see fit. To me the mistake was that they
> started "Patch Tuesday", so as a corporation, even though its a good thing
> for normal bug fixes to be issues only once monthly, it makes it harder for
> Microsoft to release a patch out of cycle for "critical flaws". You seem to
> think theres not employees at Microsoft who don't want to release patches
> inbetween patch tuesday. You're wrong, behind the scenes at Microsft right
> now theres loads of people saying, "we want to release inbetween patch
> tuesday for critical flaws, but because we've invented patch tuesday for
> flaws generally, the more we do release patches inbeween patch tuesday, the
> more it weakness to our patch tuesday policy" "We think patch tuesday is
> good, but it restricts us to push out patches inbetween that, because we
> want to keep credibility to our patch release day for all other flaws". So
> you see, its not that Microsoft don't agree with out of cycle patch
> releases, its just they don't want to spoil their overall patch tuesday
> policy. Microsoft don't like to send out mixed messages, so until the higher
> folks at MS start listening, then patch tuesday will continue to pose a
> threat for when critical remote access flaws come along.
> >
> > > You can bet that they don't release patches for non-public
> > > vulnerabilities with a mere 20 days of testing (and that assumes they
> > > started on the patch the day the issue was published).  When I reported
> > > a vulnerability in August that was (originally) scheduled for a
> > > bulletin, Microsoft said that if it made a bulletin, the earliest would
> > > be December.  That was just shy of four months, and they weren't even
> > > certain it would make that release cycle.  Microsoft doesn't have that
> > > kind of time here, and it's a damn sure bet that they aren't taking it.
> >
> >
> >
> > We're not talking about non-public flaws! I'm talking about 0-day that
> goes into the wild, where exploit code is then release, and where media hype
> is created and then eeye and the others create a bigger security issue than
> the intial flaw.
> >
> > > Some good documentation on Microsoft's patch development processes (and
> > > how they vary for products) would help you avoid this ignorant and
> > > noobish mistake and put an end to ignorant media reporting about how
> > > Microsoft is sticking to its schedule with this patch -- which couldn't
> > > be much further from the truth.
> >
> >
> > Microsoft are about to relase out of its cycle again for this IE
> vulnerability, accroding to my contacts.The patch tuesday policy is only
> just a new thing, they would before release a patch at any time of their
> choosing. Because of patch tuesday, it now makes it more difficult for them
> to break this, as you would know if you had worked for a multinational
> before, they don't like to backtrack on a policy which is more than
> acceptable for non critical flaws, its only the issues of critical flaws
> hitting the wild, where exploit code is released, where media hype is
> created and then where folks like eeye release a patch, which will only ever
> be avaiable to the security community and all of its malicious users, where
> script kids can patch systems for their own evil agendas, and or also
> seperate, phishers can release bogus eeye patches, or release a patch under
> another name with malicious code inserted, a lot of the time to execute
> another malicious code, unrelated to the intial exploit code vulnerability.
> >
> > > I guess it's easier to bash Microsoft for made-up, delusional reasons
> > > like "they're standing and watching while people get 0wn3d!" than for
> > > the real reasons (i.e., a six-month "standard procedure" patch process).
> > > Those in the latter category actually require some work to understand,
> > > and apparently don't give people the instant ego boost of thinking
> > > they're "taking on the monopoly".
> >
> >
> >
> > NO, i'm not anti-Microsoft, lots of my friends work there. The only evil
> is folks like eEye providing tools (patches) to the security community,
> where legitimate users will never get a hold of, but you can bet malicious
> users will and use the patch to their advantage.
> >
> > Microsoft only ever releases out of its new patch tuesday cycle when eeye
> and all the others release third party patches. If you really were pro
> Microsoft, you would be behind me in calling for all third party patches to
> be slammed as a bad thing for Microsoft and the security community and the
> public at large. Theres folks at Microsoft in complete agreement at what i'm
> saying. Who agree, like me, that patch tuesday is a good thing normally, but
> as soon as the evil third patches are released, then Microsoft has no choice
> but to release out of cycle.
> >
> > If you had contacts at Microsoft like I do, you would realise everything
> i'm saying is in line with what individuals within ms are thinking.
> >
> > Patch Tuesday = Good before third party patches appear
> > Third party patch = Evil
> > Patch Tuesday = Bad for everyone after third party patches appear, even
> Microsoft, because they hate breaking out of the Patch Tuesday policy, even
> though a lot of athe time a patch is ready for distrubution, Microsoft don't
> want to break out of company policy, even though indviduals at Micrsoft wish
> it was easier for a multinational to backtrack on its policy for critical
> *public 0-day*
> >
> >
> >
> >
> >
> > ________________________________
>
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


--
ting ding ting ding ting ding
ting ding ting ding ding
i m crazy frog :)
"oh yeah oh yeah...
 another wannabe, in hackerland!!!"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ