RE: Releasing patches is bad for security

From: James P. Saveker (
Date: 03/03/04

  • Next message: Dozal, Tim: "RE: Releasing patches is bad for security"
    Date: Wed, 3 Mar 2004 19:17:04 -0000
    To: "Dozal, Tim" <>

    My word, you are brave Tim. I said something similar on Full Disclosure and
    got quite a telling off.

    I have to fully support your comments and also make another point.

    The new patch model for longhorn will not require reboots. They are
    investing a great deal of money in security now as before they had valued
    functionality over security.

    Current patches are getting smaller as with large enterprises bandwidth can
    be at a premium.

    For large business they offer SMS as a great tool for patch deployment,
    including being aware of remote users and making use of the "bits"
    technology. For smaller business they offer SUS for FREE!!

    I am not saying that MS have always got it right in the past, quite frankly
    they have not. Things are changing with MS, time will tell.

    James Saveker

    "The only thing which helps me maintain my slender grip on reality is the
    friendship I share with my collection of singing potatoes..."

    -----Original Message-----
    From: Dozal, Tim []
    Sent: 03 March 2004 01:19
    Subject: RE: Releasing patches is bad for security

    After sitting in on some of the discussion at the security conferences on
    the MS campus their strategy is as sound as any I have scene proposed. They
    are only releasing out of cycle patches for things that are wormable. Other
    vulnerabilities as they are discovered, no matter the source of the
    discovery, are released in scheduled patches.

    This is to aid their large customers, the ones who usually take the longest
    time to deploy patches, have strict IT policy and also pay a TON of $$$ to
    MS for their software.

    You miss MS intent with:

    I mean.. *really*.. apply a few neurons. What black hat who didn't just
    fall out of a tree is going to reveal his 0-day in a worm before it's
    usefulness has dried up?

    Those are things they patch in cycle as they are discovered, and trends show
    the largest impacting virus threats from these occur AFTER the patches. The
    smart hackers who have early 0-day exploits will always exist, they are the
    needle in the haystack not the atomic bomb MS is trying to deal with in
    their recent patch changes and policy changes.

    2003 and longhorn will be quite a different story, MS has learned turning
    everything on for ease of use is not smart or secure so the next gen stuff
    is more secure in the idea that if it's not turned on specifically by the
    customer it's not turned on at all. This will make for a huge reduction in
    the attack surface of the hosts, again a step in a long line of steps that
    are needed to make the entire solution secure.


    -----Original Message-----
    From: []
    Sent: Tuesday, March 02, 2004 8:51 AM
    To: Dozal, Tim
    Subject: Re: Releasing patches is bad for security

    On Mon, 01 Mar 2004 14:40:40 PST, "Dozal, Tim" <> said:
    > The question to ask yourself is do the vulnerabilities get exploited
    > before or after MS releases the patches. I think for code red/Nimda
    > MS posted a patch and some 300ish days later the worm hit. Then move
    > ahead

    Note that there's a major logic flaw in here - "vulnerabilities exploited"
    is *NOT* the same thing as "worm". Microsoft *wants* you to make that
    logical error, because they don't want you thinking about all the unpatched
    holes in IE, and they don't want you thinking about how many black hats have
    0-days that they're not attaching to worms because then they'd lose the use
    of that 0-day.

    I mean.. *really*.. apply a few neurons. What black hat who didn't just
    fall out of a tree is going to reveal his 0-day in a worm before it's
    usefulness has dried up?

    If anything, the fact that Nimda was 300 days and Blaster was only 18, is
    proof that:

    a) The percentage of people patching quickly is going up, *and*
    b) this means that throwing away your 0-day on "diminishing returns" is
    happening faster.

    Obviously, whoever released Nimda was using their 0-day for months after the
    patch before enough p[eople closed the hole that they said "screw this, this
    one's gotten lame" and launched a worm. It only took 2 weeks of
    concentrated patching before the owner of the Blaster 0-day threw in the

    Remember why we originally *started* the full-disclosure movement - without
    it, the vendors won't move and the 0-days will circulate for *years*.

    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with
    Astaro Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost
    of ownership.

    Download your free trial at


  • Next message: Dozal, Tim: "RE: Releasing patches is bad for security"