Dailydave mailing list archives
RE: Microsoft silently fixes security vulnerabilities
From: "Steve Manzuik" <smanzuik () eeye com>
Date: Sat, 15 Apr 2006 22:00:38 -0700
Hi Marc, Andre Protas as well as a few of the other guys over at the eEye Research Team have done a lot of work on analyzing patches and seeing what is truly fixed and what is not. In fact, Andre and I presented on this subject at Blackhat in Amsterdam and offered a few examples. We are going to be doing another version of the same presentation (but with other silently fixed vulns as examples) at AusCERT as well. My biggest problem with the whole silently fixed patches are that it makes it tougher for the large end users to do a proper risk assessment of the patch. Most of the large enterprises I have been exposed to all but ignore the vendor risk rating and try to assign a patch their own internal risk rating. Without knowing what is truly fixed, it is pretty tough to do this. The next problem with this, that Andre and I demonstrated in our talk, was that certain signature based protections, do not protect against the silently fixed vulnerabilities. So organizations that take their time to patch because they feel that their security product is protecting their systems might be surprised.
Also very interesting is this eEye advisory [2], explaining Microsoft discovered internally the CVE-2005-2120 vulnerability and fixed it silently in Windows 2003 without backporting it to earlier Windows versions. eEye then independently rediscovered it, "forcing" Microsoft to release MS05-047 to publicly acknowledge the vuln and backport a fix to all Windows versions. At least, in this case Microsoft doesn't lie and tells the truth in MS05-047 by listing Windows 2003 as not affected.
If you go back even further, long before my time at eEye, and take a look at the ASN.1 patch of February 2004 you will see other (multiple) related vulnerabilities fixed. I am not going to blame Microsoft for doing their own investigation into issues. Typically, when someone reports an issue to MS they will look for other issues that are possibly related and fix those too. That is a good thing. Where they are going wrong is not sharing the details. Sadly, this is not just a MS problem. I will go out on a limb here (and probably get slapped for it) and say that *most* vendors practice this. Cheers; Steve Manzuik
Current thread:
- Microsoft silently fixes security vulnerabilities Marc_Bevand (Apr 15)
- <Possible follow-ups>
- RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 17)
- RE: Microsoft silently fixes security vulnerabilities Ari Takanen (Apr 19)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Nick DeBaggis (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 24)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Bryan Burns (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Pusscat (Apr 21)