Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs

["Larry Seltzer" <larry () larryseltzer com>]

They do it all the time. Lots of people don't patch.

It's common to see exploits come out for patched vulnerabilities,
especially shortly after a patch Tuesday.

-----Original Message-----
From: Dan Kaminsky [mailto:dan () doxpara com] 
Sent: Wednesday, March 31, 2010 12:03 PM
To: Larry Seltzer
Cc: disco jonny; funsec () linuxbox org
Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to
find their own bugs

Yes, because if there's one thing people love to do, it's develop  
exploits for patched vulnerabilities.



On Mar 31, 2010, at 11:46 AM, "Larry Seltzer" <larry () larryseltzer com>  
wrote:

> I have some problems with this scenario.
>
> First if Microsoft patches include unrelated silent patches then I  
> would expect, as you say, people would diff the files and examine  
> the updates to see what it is they are changing and develop POCs for  
> them. I don't ever recall hearing of an exploit for a bug in Windows  
> that turned out to have been silently patched.
>
> Microsoft provides detailed file information the updates (e.g.
http://support.microsoft.com/kb/978251 
> ). Since we know exactly which files are being updated, any silent  
> patch would have to be in a file that was being patched for some  
> other reason, or at least closely related enough that it wouldn't  
> arouse suspicion.
>
> This seems like an odd way to go about things, and to what end? It's  
> been suggested to me that Microsoft might hide the fact that they  
> are patching security vulnerabilities that they found themselves to  
> avoid some sort of liability. I don't see why that works, especially  
> when the alternative they chose would be to lie to the customers  
> about what files are being updated for what purpose. The latter  
> seems more likely to get you in legal trouble.
>
> -----Original Message-----
> From: disco jonny [mailto:discojonny () gmail com]
> Sent: Wednesday, March 31, 2010 11:17 AM
> To: Larry Seltzer
> Cc: funsec () linuxbox org
> Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple,  
> Microsoft to find their own bugs
>
> isnt this the point of what i said before?
>
> they do do in house security testing after a product has shipped,
> however they do not publically release the information for the
> security bugs they find and patch - they roll them out with the other
> patches. (or service pack)
>
> you can see this if you diff the patches and compare to the
> advisories. it doesnt happen every patch day. but it does happen.
>
> I am sure if you read my previous message about this then you will see
> that i ahve already said this.
>
> On 31 March 2010 13:20, Larry Seltzer <larry () larryseltzer com> wrote:
> > Can you point me to any disclosures for security vulnerabilities  
> > you found? Or were they patched silently?
> >
> > -----Original Message-----
> > From: disco jonny [mailto:discojonny () gmail com]
> > Sent: Wednesday, March 31, 2010 8:14 AM
> > To: Larry Seltzer
> > Cc: funsec () linuxbox org
> > Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple,  
> > Microsoft to find their own bugs
> >
> > Thats alright then.
> >
> > good to know i didnt look for or find any bugs.  I wonder why they  
> > paid me.
> >
> > On 28 March 2010 23:45, Larry Seltzer <larry () larryseltzer com> wrote:
> > > I know because I asked them and they gave me an actual response.  
> > > In the last
> > > 18 months they found exactly 1 vulnerability themselves, and they  
> > > found it
> > > ancillary to looking into the Kaminsky DNS bug after Dan Kaminsky  
> > > reported
> > > that to them.
> > >
> > > Larry Seltzer
> > > Contributing Editor, PC Magazine
> > > http://blogs.pcmag.com/securitywatch/
> > > Sent from my BlackBerry
> > >
> > > ----- Original Message -----
> > > From: disco jonny <discojonny () gmail com>
> > > To: Larry Seltzer
> > > Cc: funsec () linuxbox org <funsec () linuxbox org>
> > > Sent: Sun Mar 28 16:45:51 2010
> > > Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple,  
> > > Microsoft to
> > > find their own bugs
> > >
> > > > But once the product ships they stop looking.
> > >
> > > rubbish. I have worked there and seen that they do continual vuln
> > > assessment through out a products lifetime. [well for the products i
> > > worked on. (office 2k3 & 2k7)]
> > >
> > > They just dont beat their chest when they patch [they do it silently
> > > and push it out with the disclosed vulns] - reverse a few patches  
> > > and
> > > see how many issues are fixed.  You seem to often think how it is  
> > > then
> > > state that it is like that - as a fact. it really annoys me.
> > >
> > > How do you know what ms does and doesnt do?
> > >
> > >
> > > On 27 March 2010 12:58, Larry Seltzer <larry () larryseltzer com>  
> > > wrote:
> > > > I wrote about this myself a little while ago:
http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vul
> > > > ner.php
> > > >
> > > > Microsoft puts a lot of effort into security research for  
> > > > products under
> > > > development. But once the product ships they stop looking. Alex  
> > > > Sotirov
> > > > pointed out that Microsoft's customers, by paying iDefense and
> > > > TippingPoint and the like, end up paying for research Microsoft  
> > > > should
> > > > be doing. Perhaps Microsoft is also a customer of these  
> > > > companies, I
> > > > don't know.
> > > >
> > > > LJS
> > > >
> > > > -----Original Message-----
> > > > From: funsec-bounces () linuxbox org [mailto:funsec- 
> > > > bounces () linuxbox org]
> > > > On Behalf Of Juha-Matti Laurio
> > > > Sent: Saturday, March 27, 2010 7:24 AM
> > > > To: funsec () linuxbox org
> > > > Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft  
> > > > to
> > > > find their own bugs
http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Appl
> > > > e_Microsoft_to_find_their_own_bugs
> > > >
> > > > "The only researcher to "three-peat" at the Pwn2Own hacking  
> > > > contest said
> > > > today that security is
> > > > such a "broken record" that he won't hand over 20 vulnerabilities  
> > > > he's
> > > > found in Apple's,
> > > > Adobe's and Microsoft's software.
> > > >
> > > > Instead Charlie Miller will show the vendors how to find the bugs
> > > > themselves.
> > > >
> > > > Miller, who yesterday exploited Safari on a MacBook Pro notebook  
> > > > running
> > > > Snow Leopard to win $10,000 in the hacking challenge,
> > > > said he's tired of the lack of progress in security. "We find a  
> > > > bug,
> > > > they patch it," said Miller.
> > > > "We find another bug, they patch it. That doesn't improve the  
> > > > security
> > > > of the product."
> > > >
> > > > Juha-Matti
> > > > _______________________________________________
> > > > Fun and Misc security discussion for OT posts.
> > > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> > > > Note: funsec is a public and open mailing list.
> > > >
> > > > _______________________________________________
> > > > Fun and Misc security discussion for OT posts.
> > > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> > > > Note: funsec is a public and open mailing list.
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.