Security Incidents mailing list archives
RE: Releasing patches is bad for security
From: "Gary Nichols" <GNichols () phx1 bcbsaz com>
Date: Thu, 26 Feb 2004 14:35:35 -0700
"Curt Purdy" <purdy () tecman com> 2/26/2004 1:05:05 PM >>>
Then how did I get a copy of dcom.exe 2 days before they released the DCom RPC patch. And it was surely in the deep underground longer than that. A very effective exploit too, giving you a command line in 5 seconds on an unpatched box. I would call it less of a hoot and more like a baldface lie. I completely agree with you Curt. Here's my take from my experience: Some of MS security vulnerabilies are found by white-hats, who contact the vendor (MS) in good faith. The vendor (MS) typically sits on them and does not issue a patch immediately. What this gentleman does not realize is that the a large portion of white-hats are actually grey-hats who sit on the fence and have contacts in the black-hat community. Information is shared between the grey and black hat communities all the time, which in turn leads to exploit software being written, tested and used in the black-hat community. The tools are kept pretty quiet until they get in the hands of script-idiots. MS typically finds out that an underground exploit is being used against a known bug, and *then* they issue a patch. Once the patch is issued, the gloves come off in the black-hat community and the tools are distributed publicly. Hence the "vulnerabilities aren't exploited until a patch comes out" myth is just that - a myth. This guy needs to go outside more often. Gary The information in this E-mail message is confidential and for the sole use of the intended recipient. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this information is strictly prohibited. If you received this communication in error, please notify the sender immediately. Blue Cross and Blue Shield of Arizona, Inc. and its subsidiaries and affiliates are not responsible for errors, omissions or personal comments in this E-mail message. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Releasing patches is bad for security, (continued)
- Re: Releasing patches is bad for security Clint Bodungen (Feb 26)
- RE: Releasing patches is bad for security Curt Purdy (Feb 26)
- Re: Releasing patches is bad for security Pall Thayer (Feb 26)
- Re: Releasing patches is bad for security mgotts (Feb 26)
- RE: Releasing patches is bad for security Ross M. W. Bennetts (Feb 26)
- RE: Releasing patches is bad for security Brian Taylor (Feb 29)
- RE: Releasing patches is bad for security Ross M. W. Bennetts (Feb 26)
- Re: Releasing patches is bad for security james (Feb 26)
- RE: Releasing patches is bad for security ELLIS, STEVEN (Feb 27)
- Re: Releasing patches is bad for security james (Feb 27)
- Re: Releasing patches is bad for security Meritt James (Feb 27)
- RE: Releasing patches is bad for security ELLIS, STEVEN (Feb 27)
- RE: Releasing patches is bad for security Gary Nichols (Feb 26)
- Re: Releasing patches is bad for security Joe Miller (Feb 29)