Re: 3 new MS patches next week... but none fix

[Tim <tim-security () sentinelchicken org>]

> Time for me to get on my soapbox too.
>
> What are the three patches, what's your source of information, and do they
> fix things readers of this list need to know about?
>
> Less gossip, more information, please.

Sorry if you consider this to be more gossip.  I know nothing of these 3
patches being released, but I thought this bit of background might be
illuminating: 

A certain very large vendor has been trying to court my company, and
during small talk over lunch, we mentioned we were very busy with the M$
patch batch of the month.  In a little mum's-the-word response, the
vendor representative implied that they could make that problem 
"go away" with something they called "virtual patches", which he was
quite smug about.  I was very confused at first, as he didn't appear to
be trying to sell a specific product, but when I ran the conversation
back through my mind, I realized that M$ must be giving pre-release
information to major vendors.  Probably for a heafty price tag.

This is sickening to me.  M$ likely is making money off of their own
liability.  This is very similar to the bullshit trick the ISC has been
pulling with BIND.

In any case, this may be the source of the leaks.  Not that this 3rd or
4th hand information should be trusted, but it might explain the source.

cheers,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html