RE: Releasing patches is bad for security

["Jerry Shenk" <jshenk () decommunications com>]

You can monitor activity for a particular port on the Internet Storm
Center (http://isc.sans.org).  In the case of, Blaster, if you look at
the port 135 scanning activity around the time of the blaster release
(Aug 16, 2003), you can see an increase in traffic just prior to the
release of the patch.  There is also a noticeable ramping up prior to
that, prior to the 10th of August that is.
http://isc.sans.org/port_details.html?port=135&repax=1&tarax=2&srcax=%20
2&percent=N&days=270&Redraw=Submit+Query

I think this supports the idea that somebody knew prior to the patch
release.  Things certainly got busier after the patch was released.

-----Original Message-----
From: Dozal, Tim [mailto:tdozal () cisco com] 
Sent: Monday, March 01, 2004 5:41 PM
To: Joe Miller; Chris Brenton; incidents () securityfocus com
Subject: RE: Releasing patches is bad for security


The question to ask yourself is do the vulnerabilities get exploited
before or after MS releases the patches.  I think for code red/Nimda MS
posted a patch and some 300ish days later the worm hit.  Then move ahead
a year and blaster patch is released then some 18 days later the worm
hits.  If you take what MS is saying about the worm following patch
trend I think it's accurate.  The problem then is how to release patches
in such a way to allow large IT organizations the ability to have time
to deploy them before the worm hits.

The recent steps to stick to a patch cycle has helped me and probably
many others to set dates for MS patches ahead of hearing about them the
morning they are released.  If on the 2nd Tuesday of the month nothing
is released great, no IT patch deployment I'm happy.  However if
something is released then it's expected and has been planned for ahead
of time, no shock.

Asking for software to be bug free is NEVER going to happen. It's just
not the way the industry works.  If you look at anything even linux it
has tons of bugs, they get fixed over time.  Companies hire the best
available talent from the available resource pools, do what they can to
make money, it's a business.

RE:
I would hope MS has hundreds of the brightest software engineers
specifically focused on finding security flaws in all of their software.
They should also hire third party security engineers

They do, I've met many of them, but as good as they might be they will
never find everything, it's a reality of the industry.

Tim 


-----Original Message-----
From: Joe Miller [mailto:joseph-p-miller () cox net] 
Sent: Saturday, February 28, 2004 11:49 AM
To: Chris Brenton; incidents () securityfocus com
Subject: Re: Releasing patches is bad for security

I would hope MS has hundreds of the brightest software engineers
specifically focused on finding security flaws in all of their software.
They should also hire third party security engineers to do the same
until all security holes are discovered, code rewrites planned, designed
and deployed before the company chokes to death on it's own mistakes.
They certainly have enough liquid assets to do so.
They also have enough cash to then hire the brightest security and
software engineers to develop OS's and Applications while incorporating
security specs, reasonable care and due diligence. Developing the
security controls with the OS and applications is the only way Microsoft
will survive as a software company of the future.

============================================================
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: 2004/02/26 Thu PM 01:31:03 EST
To: incidents () securityfocus com
Subject: Releasing patches is bad for security

Greets all,

This is just such a hoot I had to share:
http://news.bbc.co.uk/1/hi/technology/3485972.stm

The story quotes David Aucsmith, who is in charge of technology at
Microsoft's security business and technology unit as stating:

"We have never had vulnerabilities exploited before the patch was
known,"

The story then goes on to talk about how vulnerabilities are always
reverse engineered from patches. It really sounds to me like he's saying
that patches are *the* problem and if only Microsoft would stop
releasing patches, then all the security issues would just go away.

Microsoft has already dropped down to a monthly patch system. Even then
they have already been skipping months. Could this be early PR spin to
justify not releasing security patches? 

C



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----

============================================================



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----




------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam protection, URL filtering,
VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total
cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------