Re: Fwd: RE: We have the enemy, and the enemy is... you

[Matt <matt () use net>]

On Thu, 13 Apr 2006, Alexander Sotirov wrote:

> Olef Anderson wrote:
> > Stop with that please! so you are telling me that your 10
> > person team (an optimistic estimate) will do a better job in hooking
> > vulnerable functions on runtime in order to prevent exploitation and will
> > do a safer and better job than a MS hotfix (which is backed by probably
> > the world's biggest QA department) ?
>
> Yes.
>
> Microsoft patches usually break 3rd party apps because they disable insecure
> functionality or add other security enhancements, like tightening permissions or
> introducing extra authentication checks.

I personally wasn't impressed with Microsoft's inability to patch the
even the majority of the RPCRT4.DLL exploitable overflows within the first
month of the Blaster worm (and its variants) being active. BugScan
detected 35 or so exploitable bugs, only 10 of which were fixed in the
first patch. The second patch with about 10 more. XP SP2 and Win2003 SP1
silently fixed a few others. It still doesn't make sense to me because in
almost every instance, it looked like literally the same exploitable code
that had been copied and pasted many times.

I'm not saying I believe in HIPS --  which is utterly bogus, in my opinion
-- just disagreeing on MS' ability to patch/test their patches.


This is a great thread, btw! :)


--
tangled strands of DNA explain the way that I behave.
http://www.clock.org/~matt