Dailydave mailing list archives
Re: RE: Microsoft silently fixes security vulnerabilities
From: Chris Anley <chris () ngssoftware com>
Date: Sun, 23 Apr 2006 10:38:52 +0100
H D Moore wrote:
Silent patching helps attackers by preventing the NIPS/HIPS/VA companies from being able to protect their customers. In previous pen-test engagements, I preferred to use an unknown, but patched flaw over a widely-reported one every time. The admin doesn't know about it, the vendor has a patch for it, and I don't have to worry about anyone having a signature for it.
Definitely. There's a further problem though - sometimes a fix is only silent because the vendor doesn't know they've fixed something.
As someone fixing an overflow (say), if I apply a 'gating' validation to some input string near the point that string is received and reject input greater than some presumably safe length, I have not only fixed the reported bug but also probably a number of related bugs in other code further down the call tree that I'm unaware of, maybe because someone else in my company wrote it, or because it's in third-party code, or even in a third party binary. The problem is that neither I (the developer following best practice)nor the vulnerability researcher, nor anyone writing NIPS/HIPS knows what bugs were actually fixed by my input validation.
Now, I'm not saying that specific silent fixes don't happen - obviously they do - I'm just saying that even if that practice is stamped out by a public outcry, litigation, legislation etc, there'll still be an intractable problem to solve. -chris.
Current thread:
- Microsoft silently fixes security vulnerabilities Marc_Bevand (Apr 15)
- <Possible follow-ups>
- RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 17)
- RE: Microsoft silently fixes security vulnerabilities Ari Takanen (Apr 19)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Nick DeBaggis (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 24)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Bryan Burns (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Pusscat (Apr 21)