Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs

[disco jonny <discojonny () gmail com>]

its quite simple - they find vulns x, y, z, in app 1 then when they
release a pacth for vulns a, b, c (all reported to them from outside
sources) then they also fix xyz. - see my previous two mails.

The main reason (in my humble opinion and in no way microsofts - well
it might be i dont know) is that publishing the bugs you find yourself
with your in house testing reveals the way you test, and what you
do/dont test for. - a lot of companies do not publish this info for
this very reason.  i see no reason why it is bad or suspicious
behaviour. - i guess it is the sensationalist in you that wants to
believe that they have not found a bug themselves for a year and a
half.

anyway, go reverse some patches and see.


On 31 March 2010 16:46, Larry Seltzer <larry () larryseltzer com> wrote:
> I have some problems with this scenario.
>
> First if Microsoft patches include unrelated silent patches then I would expect, as you say, people would diff the 
> files and examine the updates to see what it is they are changing and develop POCs for them. I don't ever recall 
> hearing of an exploit for a bug in Windows that turned out to have been silently patched.
>
> Microsoft provides detailed file information the updates (e.g. http://support.microsoft.com/kb/978251). Since we know 
> exactly which files are being updated, any silent patch would have to be in a file that was being patched for some 
> other reason, or at least closely related enough that it wouldn't arouse suspicion.
>
> This seems like an odd way to go about things, and to what end? It's been suggested to me that Microsoft might hide 
> the fact that they are patching security vulnerabilities that they found themselves to avoid some sort of liability. 
> I don't see why that works, especially when the alternative they chose would be to lie to the customers about what 
> files are being updated for what purpose. The latter seems more likely to get you in legal trouble.
>
> -----Original Message-----
> From: disco jonny [mailto:discojonny () gmail com]
> Sent: Wednesday, March 31, 2010 11:17 AM
> To: Larry Seltzer
> Cc: funsec () linuxbox org
> Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs
>
> isnt this the point of what i said before?
>
> they do do in house security testing after a product has shipped,
> however they do not publically release the information for the
> security bugs they find and patch - they roll them out with the other
> patches. (or service pack)
>
>  you can see this if you diff the patches and compare to the
> advisories. it doesnt happen every patch day. but it does happen.
>
> I am sure if you read my previous message about this then you will see
> that i ahve already said this.
>
> On 31 March 2010 13:20, Larry Seltzer <larry () larryseltzer com> wrote:
> > Can you point me to any disclosures for security vulnerabilities you found? Or were they patched silently?
> >
> > -----Original Message-----
> > From: disco jonny [mailto:discojonny () gmail com]
> > Sent: Wednesday, March 31, 2010 8:14 AM
> > To: Larry Seltzer
> > Cc: funsec () linuxbox org
> > Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs
> >
> > Thats alright then.
> >
> > good to know i didnt look for or find any bugs.  I wonder why they paid me.
> >
> > On 28 March 2010 23:45, Larry Seltzer <larry () larryseltzer com> wrote:
> > > I know because I asked them and they gave me an actual response. In the last
> > > 18 months they found exactly 1 vulnerability themselves, and they found it
> > > ancillary to looking into the Kaminsky DNS bug after Dan Kaminsky reported
> > > that to them.
> > >
> > > Larry Seltzer
> > > Contributing Editor, PC Magazine
> > > http://blogs.pcmag.com/securitywatch/
> > > Sent from my BlackBerry
> > >
> > > ----- Original Message -----
> > > From: disco jonny <discojonny () gmail com>
> > > To: Larry Seltzer
> > > Cc: funsec () linuxbox org <funsec () linuxbox org>
> > > Sent: Sun Mar 28 16:45:51 2010
> > > Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to
> > > find their own bugs
> > >
> > > > But once the product ships they stop looking.
> > >
> > > rubbish. I have worked there and seen that they do continual vuln
> > > assessment through out a products lifetime. [well for the products i
> > > worked on. (office 2k3 & 2k7)]
> > >
> > > They just dont beat their chest when they patch [they do it silently
> > > and push it out with the disclosed vulns] - reverse a few patches and
> > > see how many issues are fixed.  You seem to often think how it is then
> > > state that it is like that - as a fact. it really annoys me.
> > >
> > > How do you know what ms does and doesnt do?
> > >
> > >
> > > On 27 March 2010 12:58, Larry Seltzer <larry () larryseltzer com> wrote:
> > > > I wrote about this myself a little while ago:
> > > > http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vul
> > > > ner.php
> > > >
> > > > Microsoft puts a lot of effort into security research for products under
> > > > development. But once the product ships they stop looking. Alex Sotirov
> > > > pointed out that Microsoft's customers, by paying iDefense and
> > > > TippingPoint and the like, end up paying for research Microsoft should
> > > > be doing. Perhaps Microsoft is also a customer of these companies, I
> > > > don't know.
> > > >
> > > > LJS
> > > >
> > > > -----Original Message-----
> > > > From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
> > > > On Behalf Of Juha-Matti Laurio
> > > > Sent: Saturday, March 27, 2010 7:24 AM
> > > > To: funsec () linuxbox org
> > > > Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to
> > > > find their own bugs
> > > >
> > > > http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Appl
> > > > e_Microsoft_to_find_their_own_bugs
> > > >
> > > > "The only researcher to "three-peat" at the Pwn2Own hacking contest said
> > > > today that security is
> > > > such a "broken record" that he won't hand over 20 vulnerabilities he's
> > > > found in Apple's,
> > > > Adobe's and Microsoft's software.
> > > >
> > > > Instead Charlie Miller will show the vendors how to find the bugs
> > > > themselves.
> > > >
> > > > Miller, who yesterday exploited Safari on a MacBook Pro notebook running
> > > > Snow Leopard to win $10,000 in the hacking challenge,
> > > > said he's tired of the lack of progress in security. "We find a bug,
> > > > they patch it," said Miller.
> > > > "We find another bug, they patch it. That doesn't improve the security
> > > > of the product."
> > > >
> > > > Juha-Matti
> > > > _______________________________________________
> > > > Fun and Misc security discussion for OT posts.
> > > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> > > > Note: funsec is a public and open mailing list.
> > > >
> > > > _______________________________________________
> > > > Fun and Misc security discussion for OT posts.
> > > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> > > > Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.