RE: 3 new MS patches next week... but none fix

["Joe" <mvp () joeware net>]

MS does beta test fixes, some companies could be on that beta test program.
However, I really highly doubt MS is documenting specific bug issues they
are generating fixes for and the details of those fixes and selling it to
companies as that would be a huge liability issue. That would ultimately get
out and damage MS and no matter how much people hate MS, they didn't get to
where they are by being outright stupid. I realize there isn't anything that
can be said to someone who has a differing opinion. It is like the Pete Rose
and the Hall of Fame question, some people think he should be in, some
people don't; you can't convince either side otherwise.

Most likely what the guy is selling (or trying to sell) is some sort of
IDS/network system that grabs the problem packets before they get to the
server's application layer to do damage. Companies like eEye have been doing
this for a long time - have a predefined "these packets are within our
tolerances" baseline and then anything that is outside of it gets squished.
It is actually a good idea (I think) for any machine publicly exposed. You
define the traffic you are willing to take including request lengths, etc
for various ports/protocols and anything outside of that gets dropped and an
error is generated. Maybe it is a new way to access a new app on the box,
maybe it is a new attack style. Either way if say that HTTP request is
composed of more than say x bytes, the http daemon never sees it. 

If the company had a real patch that they developed from detailed purchased
info from MS I think the patch wouldn't be called virtual and it would
violate the crap out of whatever license they have with MS to get that info
in the first place. Hell a company with a good firewall product could call
that virtual patching... You run our product and you are virtually patched
from all of these attack vectors and never have to install the official
MS/Linux/BSD/Solaris/??/Cray specific patch unless you want to. 

The huge liability hole I would see is say some company buys that info MS
allegedly publishes, generates some attack code and robs some company or
government blind with it. If the info came out that the data concerning how
to compromise that hole came straight from MS without MS first providing a
publicly available patch I could visualize a slew of lawyers descending and
claiming MS was an accomplice. 


  joe

 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Tim
Sent: Friday, January 09, 2004 11:44 PM
To: Randal, Phil
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] 3 new MS patches next week... but none fix


A certain very large vendor has been trying to court my company, and during
small talk over lunch, we mentioned we were very busy with the M$ patch
batch of the month.  In a little mum's-the-word response, the vendor
representative implied that they could make that problem "go away" with
something they called "virtual patches", which he was quite smug about.  I
was very confused at first, as he didn't appear to be trying to sell a
specific product, but when I ran the conversation back through my mind, I
realized that M$ must be giving pre-release information to major vendors.
Probably for a heafty price tag.

This is sickening to me.  M$ likely is making money off of their own
liability.  This is very similar to the bullshit trick the ISC has been
pulling with BIND.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html