Re: Public disclosure of discovered vulnerabilities

From: Andi Kleen (freitag_at_alancoxonachip.com)
Date: 05/17/05 

Date: 17 May 2005 15:38:58 +0200

"Stephen Sprunk" <stephen@sprunk.org> writes:
>
> Unfortunately, certain vendors absolutely refuse to fix a security hole,
> often denying that it exists even when presented with irrefutable
> evidence, unless it's made public and customer pressure becomes
> significant. There's nothing to be gained by delaying public release of

This attitude used to be very common, but now luckily disappears more and
more because there has been an industry wide push to more
security. I guess even executives traditionally ignorant of such issues
get the message that something needs to be done when their mailboxes
get flooded by e-mail worms.

> In contrast, one vendor I worked with would fix security bugs and ship
> patches (without telling customers what they fixed) as quickly as

That seems like a bad strategy because software patches can be usually
relatively easy reverse engineered. Disassembling a big program is
quite tough because it is so much code, but just looking at some
differences to an earlier version of the image is much easier.

So a blackhat just needs to watch the new patches and then use the
exploits before all the customers know about it and updated their
systems. Worst of both ways.

-Andi

Relevant Pages

  • Re: The Witcher Enhanced Edition Patch Download?
    ... funny now how the original version on store shelves is heavily ... considering the company is providing patches to all customers rather ... customers - if they are internally hosting the patches, ... to disseminate the patch quicker, ...
    (comp.sys.ibm.pc.games.rpg)
  • Re: Internet Explorer vs. Firefox
    ... > another virus spreading throughout the web taking over peoples ... > The virus exploited a security hole in IE that had exploit ... and microsoft patches them when they hit the ... > the fortune 500 sites without running your browser with the security ...
    (microsoft.public.security)
  • Re: Zotob worm patch?
    ... What Government agency has customers such as this? ... > updates and this was for MS and antivirus. ... > takes our techs 2 hours to get there instead of 25 min. ... >> I was referring to patches classified as 'critical' by Microsoft. ...
    (microsoft.public.windowsxp.general)
  • Re: Security? Right.
    ... please feel free to use one of many free posting ... is a security hole, even when it has not been patched yet. ... Hiding information from customers is a very dangerous act. ... they know they need to keep a closer eye on things. ...
    (microsoft.public.security)
  • Re: patch clusters
    ... I can download Solaris 10 for free but if there is a security hole to be ... Those tools do not seem to support proxies while firefox does (I cannot connect to a ftp server via shell but I can using firefox). ... Maybe I should setup another machine and get those patches via pca and copy them to my IPv6 machine?! ...
    (comp.unix.solaris)
Quantcast