funsec mailing list archives
Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs
From: disco jonny <discojonny () gmail com>
Date: Wed, 31 Mar 2010 18:47:37 +0100
its quite simple - they find vulns x, y, z, in app 1 then when they release a pacth for vulns a, b, c (all reported to them from outside sources) then they also fix xyz. - see my previous two mails. The main reason (in my humble opinion and in no way microsofts - well it might be i dont know) is that publishing the bugs you find yourself with your in house testing reveals the way you test, and what you do/dont test for. - a lot of companies do not publish this info for this very reason. i see no reason why it is bad or suspicious behaviour. - i guess it is the sensationalist in you that wants to believe that they have not found a bug themselves for a year and a half. anyway, go reverse some patches and see. On 31 March 2010 16:46, Larry Seltzer <larry () larryseltzer com> wrote:
I have some problems with this scenario. First if Microsoft patches include unrelated silent patches then I would expect, as you say, people would diff the files and examine the updates to see what it is they are changing and develop POCs for them. I don't ever recall hearing of an exploit for a bug in Windows that turned out to have been silently patched. Microsoft provides detailed file information the updates (e.g. http://support.microsoft.com/kb/978251). Since we know exactly which files are being updated, any silent patch would have to be in a file that was being patched for some other reason, or at least closely related enough that it wouldn't arouse suspicion. This seems like an odd way to go about things, and to what end? It's been suggested to me that Microsoft might hide the fact that they are patching security vulnerabilities that they found themselves to avoid some sort of liability. I don't see why that works, especially when the alternative they chose would be to lie to the customers about what files are being updated for what purpose. The latter seems more likely to get you in legal trouble. -----Original Message----- From: disco jonny [mailto:discojonny () gmail com] Sent: Wednesday, March 31, 2010 11:17 AM To: Larry Seltzer Cc: funsec () linuxbox org Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs isnt this the point of what i said before? they do do in house security testing after a product has shipped, however they do not publically release the information for the security bugs they find and patch - they roll them out with the other patches. (or service pack) you can see this if you diff the patches and compare to the advisories. it doesnt happen every patch day. but it does happen. I am sure if you read my previous message about this then you will see that i ahve already said this. On 31 March 2010 13:20, Larry Seltzer <larry () larryseltzer com> wrote:Can you point me to any disclosures for security vulnerabilities you found? Or were they patched silently? -----Original Message----- From: disco jonny [mailto:discojonny () gmail com] Sent: Wednesday, March 31, 2010 8:14 AM To: Larry Seltzer Cc: funsec () linuxbox org Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Thats alright then. good to know i didnt look for or find any bugs. I wonder why they paid me. On 28 March 2010 23:45, Larry Seltzer <larry () larryseltzer com> wrote:I know because I asked them and they gave me an actual response. In the last 18 months they found exactly 1 vulnerability themselves, and they found it ancillary to looking into the Kaminsky DNS bug after Dan Kaminsky reported that to them. Larry Seltzer Contributing Editor, PC Magazine http://blogs.pcmag.com/securitywatch/ Sent from my BlackBerry ----- Original Message ----- From: disco jonny <discojonny () gmail com> To: Larry Seltzer Cc: funsec () linuxbox org <funsec () linuxbox org> Sent: Sun Mar 28 16:45:51 2010 Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugsBut once the product ships they stop looking.rubbish. I have worked there and seen that they do continual vuln assessment through out a products lifetime. [well for the products i worked on. (office 2k3 & 2k7)] They just dont beat their chest when they patch [they do it silently and push it out with the disclosed vulns] - reverse a few patches and see how many issues are fixed. You seem to often think how it is then state that it is like that - as a fact. it really annoys me. How do you know what ms does and doesnt do? On 27 March 2010 12:58, Larry Seltzer <larry () larryseltzer com> wrote:I wrote about this myself a little while ago: http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vul ner.php Microsoft puts a lot of effort into security research for products under development. But once the product ships they stop looking. Alex Sotirov pointed out that Microsoft's customers, by paying iDefense and TippingPoint and the like, end up paying for research Microsoft should be doing. Perhaps Microsoft is also a customer of these companies, I don't know. LJS -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Juha-Matti Laurio Sent: Saturday, March 27, 2010 7:24 AM To: funsec () linuxbox org Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Appl e_Microsoft_to_find_their_own_bugs "The only researcher to "three-peat" at the Pwn2Own hacking contest said today that security is such a "broken record" that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software. Instead Charlie Miller will show the vendors how to find the bugs themselves. Miller, who yesterday exploited Safari on a MacBook Pro notebook running Snow Leopard to win $10,000 in the hacking challenge, said he's tired of the lack of progress in security. "We find a bug, they patch it," said Miller. "We find another bug, they patch it. That doesn't improve the security of the product." Juha-Matti _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs, (continued)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs disco jonny (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Larry Seltzer (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs disco jonny (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Larry Seltzer (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Dan Kaminsky (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Larry Seltzer (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Valdis . Kletnieks (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Dan Kaminsky (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Larry Seltzer (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Larry Seltzer (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs disco jonny (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Blue Boar (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs disco jonny (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Craig Schmugar (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Larry Seltzer (Mar 31)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Nick FitzGerald (Mar 31)