Security Incidents mailing list archives

RE: Releasing patches is bad for security

From: "Gary Nichols" <GNichols () phx1 bcbsaz com>
Date: Thu, 26 Feb 2004 14:35:35 -0700

"Curt Purdy" <purdy () tecman com> 2/26/2004 1:05:05 PM >>>

Then how did I get a copy of dcom.exe 2 days before they released the DCom
RPC patch. And it was surely in the deep underground longer than that. A
very effective exploit too, giving you a command line in 5 seconds on an
unpatched box.

I would call it less of a hoot and more like a baldface lie.

I completely agree with you Curt. Here's my take from my experience:

Some of MS security vulnerabilies are found by white-hats, who contact the vendor (MS) in good faith. The vendor (MS)
typically sits on them and does not issue a patch immediately.

What this gentleman does not realize is that the a large portion of white-hats are actually grey-hats who sit on the
fence and have contacts in the black-hat community.

Information is shared between the grey and black hat communities all the time, which in turn leads to exploit software
being written, tested and used in the black-hat community.

The tools are kept pretty quiet until they get in the hands of script-idiots. MS typically finds out that an
underground exploit is being used against a known bug, and *then* they issue a patch. Once the patch is issued, the
gloves come off in the black-hat community and the tools are distributed publicly. Hence the "vulnerabilities aren't
exploited until a patch comes out" myth is just that - a myth. This guy needs to go outside more often.

Gary

The information in this E-mail message is confidential and for
the sole use of the intended recipient. If you are not the
intended recipient, you are hereby notified that any
dissemination, distribution, copying or use of this information
is strictly prohibited. If you received this communication in
error, please notify the sender immediately. Blue Cross and
Blue Shield of Arizona, Inc. and its subsidiaries and affiliates
are not responsible for errors, omissions or personal comments
in this E-mail message.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Releasing patches is bad for security, (continued)
- Re: Releasing patches is bad for security Clint Bodungen (Feb 26)
- RE: Releasing patches is bad for security Curt Purdy (Feb 26)
  - Re: Releasing patches is bad for security Pall Thayer (Feb 26)
- Re: Releasing patches is bad for security mgotts (Feb 26)
  - RE: Releasing patches is bad for security Ross M. W. Bennetts (Feb 26)
    - RE: Releasing patches is bad for security Brian Taylor (Feb 29)
- Re: Releasing patches is bad for security james (Feb 26)
  - RE: Releasing patches is bad for security ELLIS, STEVEN (Feb 27)
    - Re: Releasing patches is bad for security james (Feb 27)
    - Re: Releasing patches is bad for security Meritt James (Feb 27)
- RE: Releasing patches is bad for security Gary Nichols (Feb 26)
- Re: Releasing patches is bad for security Joe Miller (Feb 29)