Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs

[disco jonny <discojonny () gmail com>]

> But once the product ships they stop looking.

rubbish. I have worked there and seen that they do continual vuln
assessment through out a products lifetime. [well for the products i
worked on. (office 2k3 & 2k7)]

They just dont beat their chest when they patch [they do it silently
and push it out with the disclosed vulns] - reverse a few patches and
see how many issues are fixed.  You seem to often think how it is then
state that it is like that - as a fact. it really annoys me.

How do you know what ms does and doesnt do?


On 27 March 2010 12:58, Larry Seltzer <larry () larryseltzer com> wrote:
> I wrote about this myself a little while ago:
> http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vul
> ner.php
>
> Microsoft puts a lot of effort into security research for products under
> development. But once the product ships they stop looking. Alex Sotirov
> pointed out that Microsoft's customers, by paying iDefense and
> TippingPoint and the like, end up paying for research Microsoft should
> be doing. Perhaps Microsoft is also a customer of these companies, I
> don't know.
>
> LJS
>
> -----Original Message-----
> From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
> On Behalf Of Juha-Matti Laurio
> Sent: Saturday, March 27, 2010 7:24 AM
> To: funsec () linuxbox org
> Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to
> find their own bugs
>
> http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Appl
> e_Microsoft_to_find_their_own_bugs
>
> "The only researcher to "three-peat" at the Pwn2Own hacking contest said
> today that security is
> such a "broken record" that he won't hand over 20 vulnerabilities he's
> found in Apple's,
> Adobe's and Microsoft's software.
>
> Instead Charlie Miller will show the vendors how to find the bugs
> themselves.
>
> Miller, who yesterday exploited Safari on a MacBook Pro notebook running
> Snow Leopard to win $10,000 in the hacking challenge,
> said he's tired of the lack of progress in security. "We find a bug,
> they patch it," said Miller.
> "We find another bug, they patch it. That doesn't improve the security
> of the product."
>
> Juha-Matti
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.