Re: [Full-disclosure] Security Alert: Unofficial IE patches appear on internet



-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

n3td3v wrote:
Security Alert:
Microsoft who wait for a "Patch Tuesday" to release software solutions
for critical bugs are creating a world of opportunity for hackers to
take advantage of the situation. Not only do unofficial patches allow
script kids to patch systems, but it allows for phishing of malcious
fake patches (phishing) to appear on web, which may comtain further evil
code unrelated to the initial flaw...
[snip]
Lastly, we stress Microsoft again to solve the trend of third party
patches with all its side effects and security threats attached to it by
releasing patches before a "Patch Tuesday" for critical flaws.

Newsflash, idiot: you're not the first one to think of this. Plenty of
people at Microsoft beat you to the punch. When the threat environment
created by a vulnerability is as serious as this case and the available
code-independent workarounds (i.e., other than patches) are so poor,
Microsoft will be inclined strongly against holding on to this patch.

I'd venture to bet that Microsoft will make this patch available as soon
as they're confident in the quality of it. Their first patch day is, at
this point, nothing more than a benchmark. They might beat it but they
almost certainly won't fall short of it unless there are major quality
issues.

The other thing that you obviously have no clue of is that even a
release on patch Tuesday is "out-of-cycle" as far as Microsoft's test
processes are concerned. Microsoft normally issues IE patches on a two
month cycle -- February, April, June, August, October, December.

You can bet that they don't release patches for non-public
vulnerabilities with a mere 20 days of testing (and that assumes they
started on the patch the day the issue was published). When I reported
a vulnerability in August that was (originally) scheduled for a
bulletin, Microsoft said that if it made a bulletin, the earliest would
be December. That was just shy of four months, and they weren't even
certain it would make that release cycle. Microsoft doesn't have that
kind of time here, and it's a damn sure bet that they aren't taking it.

Some good documentation on Microsoft's patch development processes (and
how they vary for products) would help you avoid this ignorant and
noobish mistake and put an end to ignorant media reporting about how
Microsoft is sticking to its schedule with this patch -- which couldn't
be much further from the truth.

I guess it's easier to bash Microsoft for made-up, delusional reasons
like "they're standing and watching while people get 0wn3d!" than for
the real reasons (i.e., a six-month "standard procedure" patch process).
Those in the latter category actually require some work to understand,
and apparently don't give people the instant ego boost of thinking
they're "taking on the monopoly".

If you want people to take you seriously, you should try sticking to
facts. If you're seen as another wolf-crier preaching about how
Microsoft is Satan (which you are, as far as I'm concerned), you will
quickly lose credibility. That is, of course... assuming there was
credibility to lose.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

-- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFEKXfEfp4vUrVETTgRAzg8AKCEwQHzHdvGwnpJJQZ2tp0N2tyEYACgiXku
u/x2zbhvAWFHS/gINWaP+N8=
=YUtJ
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Why not patch all windows and not just legal copies
    ... requirement from the genuine Microsoft site or put the genuine microsoft ... patches on a FTP somewhere under a CVS like ... very easy path for these thieves to patch their nasty computers. ...
    (microsoft.public.security)
  • Re: [Full-disclosure] Security Alert: Unofficial IE patches appear on internet
    ... created by a vulnerability is as serious as this case and the available ... Microsoft will be inclined strongly against holding on to this patch. ... Microsoft often have patches ready but wait for the corporate known ...
    (Full-Disclosure)
  • Re: A cheapo Acer laptop matches Macbook Pro in benchmarks!
    ... the difference is in the time you go without the patch. ... you miss the point that Microsoft is creating an ARTIFICIAL ... Otherwise Apple is holding back the release of patches. ...
    (comp.sys.mac.advocacy)
  • Re: Worm in Patch
    ... a naive and trusting nature in your personality believing that you would ... "receive a patch" instead of getting it from a trusted source..? ... Essentially - Microsoft never emails you a patch. ... using Windows XP "prettifications". ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Why do i keep on receiving shutdown system ?
    ... the Microsoft provided information on the matter can be ... The Symantec Repair utility and manual removal instructions can be found ... The patch that would have prevented this whole fiasco for you: ... If you have Sasser, the Microsoft provided information on the matter can be ...
    (microsoft.public.windowsxp.security_admin)