RE: Releasing patches is bad for security

From: Gary Nichols (GNichols_at_phx1.bcbsaz.com)
Date: 02/26/04

  • Next message: Pall Thayer: "Re: Releasing patches is bad for security" 
    Date: Thu, 26 Feb 2004 14:35:35 -0700
To: <incidents@securityfocus.com>

    >>> "Curt Purdy" <purdy@tecman.com> 2/26/2004 1:05:05 PM >>>
    Then how did I get a copy of dcom.exe 2 days before they released the DCom
    RPC patch. And it was surely in the deep underground longer than that. A
    very effective exploit too, giving you a command line in 5 seconds on an
    unpatched box.

    I would call it less of a hoot and more like a baldface lie.

    I completely agree with you Curt. Here's my take from my experience:

    Some of MS security vulnerabilies are found by white-hats, who contact the vendor (MS) in good faith. The vendor (MS) typically sits on them and does not issue a patch immediately.
      
    What this gentleman does not realize is that the a large portion of white-hats are actually grey-hats who sit on the fence and have contacts in the black-hat community.
     
    Information is shared between the grey and black hat communities all the time, which in turn leads to exploit software being written, tested and used in the black-hat community.

    The tools are kept pretty quiet until they get in the hands of script-idiots. MS typically finds out that an underground exploit is being used against a known bug, and *then* they issue a patch. Once the patch is issued, the gloves come off in the black-hat community and the tools are distributed publicly. Hence the "vulnerabilities aren't exploited until a patch comes out" myth is just that - a myth. This guy needs to go outside more often.

    Gary

    The information in this E-mail message is confidential and for
    the sole use of the intended recipient. If you are not the
    intended recipient, you are hereby notified that any
    dissemination, distribution, copying or use of this information
    is strictly prohibited. If you received this communication in
    error, please notify the sender immediately. Blue Cross and
    Blue Shield of Arizona, Inc. and its subsidiaries and affiliates
    are not responsible for errors, omissions or personal comments
    in this E-mail message.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Pall Thayer: "Re: Releasing patches is bad for security"