RE: [Full-Disclosure] 3 new MS patches next week... but none fix

From: Joe (mvp_at_joeware.net)
Date: 01/10/04

  • Next message: Dr. Peter Bieringer: "[Full-Disclosure] Re: bzip2 bombs still causes problems in antivirus-software" 
    To: <full-disclosure@lists.netsys.com>
Date: Sat, 10 Jan 2004 10:03:16 -0500

    MS does beta test fixes, some companies could be on that beta test program.
    However, I really highly doubt MS is documenting specific bug issues they
    are generating fixes for and the details of those fixes and selling it to
    companies as that would be a huge liability issue. That would ultimately get
    out and damage MS and no matter how much people hate MS, they didn't get to
    where they are by being outright stupid. I realize there isn't anything that
    can be said to someone who has a differing opinion. It is like the Pete Rose
    and the Hall of Fame question, some people think he should be in, some
    people don't; you can't convince either side otherwise.

    Most likely what the guy is selling (or trying to sell) is some sort of
    IDS/network system that grabs the problem packets before they get to the
    server's application layer to do damage. Companies like eEye have been doing
    this for a long time - have a predefined "these packets are within our
    tolerances" baseline and then anything that is outside of it gets squished.
    It is actually a good idea (I think) for any machine publicly exposed. You
    define the traffic you are willing to take including request lengths, etc
    for various ports/protocols and anything outside of that gets dropped and an
    error is generated. Maybe it is a new way to access a new app on the box,
    maybe it is a new attack style. Either way if say that HTTP request is
    composed of more than say x bytes, the http daemon never sees it.

    If the company had a real patch that they developed from detailed purchased
    info from MS I think the patch wouldn't be called virtual and it would
    violate the crap out of whatever license they have with MS to get that info
    in the first place. Hell a company with a good firewall product could call
    that virtual patching... You run our product and you are virtually patched
    from all of these attack vectors and never have to install the official
    MS/Linux/BSD/Solaris/??/Cray specific patch unless you want to.

    The huge liability hole I would see is say some company buys that info MS
    allegedly publishes, generates some attack code and robs some company or
    government blind with it. If the info came out that the data concerning how
    to compromise that hole came straight from MS without MS first providing a
    publicly available patch I could visualize a slew of lawyers descending and
    claiming MS was an accomplice.

      joe

     

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Tim
    Sent: Friday, January 09, 2004 11:44 PM
    To: Randal, Phil
    Cc: full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] 3 new MS patches next week... but none fix

    A certain very large vendor has been trying to court my company, and during
    small talk over lunch, we mentioned we were very busy with the M$ patch
    batch of the month. In a little mum's-the-word response, the vendor
    representative implied that they could make that problem "go away" with
    something they called "virtual patches", which he was quite smug about. I
    was very confused at first, as he didn't appear to be trying to sell a
    specific product, but when I ran the conversation back through my mind, I
    realized that M$ must be giving pre-release information to major vendors.
    Probably for a heafty price tag.

    This is sickening to me. M$ likely is making money off of their own
    liability. This is very similar to the bull*** trick the ISC has been
    pulling with BIND.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Dr. Peter Bieringer: "[Full-Disclosure] Re: bzip2 bombs still causes problems in antivirus-software"