Re: Security Alert: Unofficial IE patches appear on internet

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

n3td3v wrote:
> Security Alert:
> Microsoft who wait for a "Patch Tuesday" to release software solutions
> for critical bugs are creating a world of opportunity for hackers to
> take advantage of the situation. Not only do unofficial patches allow
> script kids to patch systems, but it allows for phishing of malcious
> fake patches (phishing) to appear on web, which may comtain further evil
> code unrelated to the initial flaw...
[snip]
> Lastly, we stress Microsoft again to solve the trend of third party
> patches with all its side effects and security threats attached to it by
> releasing patches before a "Patch Tuesday" for critical flaws.

Newsflash, idiot: you're not the first one to think of this.  Plenty of
people at Microsoft beat you to the punch.  When the threat environment
created by a vulnerability is as serious as this case and the available
code-independent workarounds (i.e., other than patches) are so poor,
Microsoft will be inclined strongly against holding on to this patch.

I'd venture to bet that Microsoft will make this patch available as soon
as they're confident in the quality of it.  Their first patch day is, at
this point, nothing more than a benchmark.  They might beat it but they
almost certainly won't fall short of it unless there are major quality
issues.

The other thing that you obviously have no clue of is that even a
release on patch Tuesday is "out-of-cycle" as far as Microsoft's test
processes are concerned.  Microsoft normally issues IE patches on a two
month cycle -- February, April, June, August, October, December.

You can bet that they don't release patches for non-public
vulnerabilities with a mere 20 days of testing (and that assumes they
started on the patch the day the issue was published).  When I reported
a vulnerability in August that was (originally) scheduled for a
bulletin, Microsoft said that if it made a bulletin, the earliest would
be December.  That was just shy of four months, and they weren't even
certain it would make that release cycle.  Microsoft doesn't have that
kind of time here, and it's a damn sure bet that they aren't taking it.

Some good documentation on Microsoft's patch development processes (and
how they vary for products) would help you avoid this ignorant and
noobish mistake and put an end to ignorant media reporting about how
Microsoft is sticking to its schedule with this patch -- which couldn't
be much further from the truth.

I guess it's easier to bash Microsoft for made-up, delusional reasons
like "they're standing and watching while people get 0wn3d!" than for
the real reasons (i.e., a six-month "standard procedure" patch process).
Those in the latter category actually require some work to understand,
and apparently don't give people the instant ego boost of thinking
they're "taking on the monopoly".

If you want people to take you seriously, you should try sticking to
facts.  If you're seen as another wolf-crier preaching about how
Microsoft is Satan (which you are, as far as I'm concerned), you will
quickly lose credibility.  That is, of course... assuming there was
credibility to lose.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFEKXfEfp4vUrVETTgRAzg8AKCEwQHzHdvGwnpJJQZ2tp0N2tyEYACgiXku
u/x2zbhvAWFHS/gINWaP+N8=
=YUtJ
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/