lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <01dc01c65379$baad36e0$0400a8c0@AMDLAPTOP>
Date: Wed Mar 29 22:43:09 2006
From: angray at beeb.net (Aaron Gray)
Subject: Third party patches, a matter of trust by n3td3v

They do not necessarily work right. A JPEG patch fixed the volunerability but after a MS update a week later stopped any viewing of JPEG's and the only way I could find to get the system back to normal was an OS reinstall.

Aaron

  ----- Original Message ----- 
  From: n3td3v 
  To: full-disclosure@...ts.grok.org.uk 
  Sent: Wednesday, March 29, 2006 8:39 PM
  Subject: [Full-disclosure] Third party patches, a matter of trust by n3td3v


  Third party patches, a matter of trust by n3td3v
  Why are third party patches a bad thing?

  They force Microsoft to rush out a patch before 
  Q.A testing has been fully completed in the time scale
  Microsoft would have initially hoped.


  Is it responsible for eEye to release a third party patch before Microsoft?

  No, its very bad because it confuses the consumer and brings up the issue of trust
  in the mind of the consumer. Once you start dangling multiple vulnerability fixes infront of 
  consumer, it opens the door for malicious hackers, script kids and phishers to compromise 
  security.

  What do you mean "irresponsible"?

  Yes, because the delivery of a third party patch cannot reach a world wide audience if the 
  news of third party patch avaiability is only on that of U-S based news media outlets.

  Microsoft since service pack two have automatic update functionality on its software, allowing 
  a patch to be delivered essentially to all of its customers world wide, eEye just don't have that kind of reach available to them. 

  How could a third party patch be used against people?

  Script kids compromise systems, and then patch them with the third party patch.

  If the trend of third party patches continue, malicious users can play upto the multiple patch sources available, and setup fraud scams to compromise a user system with bogus patches, which have inserted malicious code. A lot of the time the malicious code will have additional vulnerabilities attached. The third party patch merely acts as a deliver system to socially engineer the mind of the consumer. Once the consumer gets the idea of patches being available from multiple sources, then thats where the problems will spiral out of control, and that element of trust really comes into play. 

  Should Microsoft take legal action against third party patch developers like eEye?

  Yes, I think so. The idea of thrid party patches being released by big companies like eEye is very irresponsible and offers a grave danger to the public at large, by making the patch available to the worlds malicious users, where then, the magnitude of the situation is blown up and makes the situation more intense because fixes are being made available for 0-day before Microsoft has had the chance to fully develop a secure realible patch and deliver it to world wide customers. 

  Should Micorsoft release a patch for critical public 0-day before patch tuesday?

  Yes, and no. No, If it wasn't for eEye compromising security by forcing Microsoft to push out a patch before 
  the required time frame, then there would be no need to release a patch early. Yes, because since the WMF flaw, third party developers are releasing patches and Microsoft must get ontop of the trend before consumers start to trust third party sources in place of the legitimate Micrsoft patch. 

  What can consumers do to protect themselves from third party patches?

  Never download a third party patch, even if its from a "trusted" source. Real patches will only ever come from Microsoft and the Automatic Update functionaility on Microsoft products. Remember, Microsoft can offer you support if their patch becomes faulty. If you download from a third party source, your system may become corrupt with errors, or in the worst case scenario, you may be victim to a malicious patch claming to fix a vulnerability. 

  Should the industry get behind the idea of making third party patches an unacceptable alternative to a Microsoft patch?

  Yes. The future of security world wide depends on the industry not recommending these patches, no matter how safe the patch may appear or if the source can be trusted. The only real patch can be offered by Microsoft, and the only people who really do know how to fix a vulnerability is Microsoft. With the WMF flaw, many folks were shocked to see SANS etc recommending a third party patch. This time around it seems to be different. The big players are finally listening to folks like n3td3v and the grave dangers attached to making the trend of third party patches for Microsoft products a bad pratice, whcih shouldnt be encouraged under any circumstance. Sure, its healthy to develop your own patch solutions in private for your own research and development, but as soon as you offer that patch to the wild, then its surely going to be picked up by malicious users and used against the consumer ten times over before legitimate users can see or hear of your third party patch. 


   


------------------------------------------------------------------------------


  _______________________________________________
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/


------------------------------------------------------------------------------


  Internal Virus Database is out-of-date.
  Checked by AVG Free Edition.
  Version: 7.1.375 / Virus Database: 268.2.6/288 - Release Date: 22/03/2006
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060329/0d420e4e/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ