Full Disclosure mailing list archives
Re: Security Alert: Unofficial IE patches appear on internet
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Tue, 28 Mar 2006 11:52:04 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 n3td3v wrote:
Security Alert: Microsoft who wait for a "Patch Tuesday" to release software solutions for critical bugs are creating a world of opportunity for hackers to take advantage of the situation. Not only do unofficial patches allow script kids to patch systems, but it allows for phishing of malcious fake patches (phishing) to appear on web, which may comtain further evil code unrelated to the initial flaw...
[snip]
Lastly, we stress Microsoft again to solve the trend of third party patches with all its side effects and security threats attached to it by releasing patches before a "Patch Tuesday" for critical flaws.
Newsflash, idiot: you're not the first one to think of this. Plenty of people at Microsoft beat you to the punch. When the threat environment created by a vulnerability is as serious as this case and the available code-independent workarounds (i.e., other than patches) are so poor, Microsoft will be inclined strongly against holding on to this patch. I'd venture to bet that Microsoft will make this patch available as soon as they're confident in the quality of it. Their first patch day is, at this point, nothing more than a benchmark. They might beat it but they almost certainly won't fall short of it unless there are major quality issues. The other thing that you obviously have no clue of is that even a release on patch Tuesday is "out-of-cycle" as far as Microsoft's test processes are concerned. Microsoft normally issues IE patches on a two month cycle -- February, April, June, August, October, December. You can bet that they don't release patches for non-public vulnerabilities with a mere 20 days of testing (and that assumes they started on the patch the day the issue was published). When I reported a vulnerability in August that was (originally) scheduled for a bulletin, Microsoft said that if it made a bulletin, the earliest would be December. That was just shy of four months, and they weren't even certain it would make that release cycle. Microsoft doesn't have that kind of time here, and it's a damn sure bet that they aren't taking it. Some good documentation on Microsoft's patch development processes (and how they vary for products) would help you avoid this ignorant and noobish mistake and put an end to ignorant media reporting about how Microsoft is sticking to its schedule with this patch -- which couldn't be much further from the truth. I guess it's easier to bash Microsoft for made-up, delusional reasons like "they're standing and watching while people get 0wn3d!" than for the real reasons (i.e., a six-month "standard procedure" patch process). Those in the latter category actually require some work to understand, and apparently don't give people the instant ego boost of thinking they're "taking on the monopoly". If you want people to take you seriously, you should try sticking to facts. If you're seen as another wolf-crier preaching about how Microsoft is Satan (which you are, as far as I'm concerned), you will quickly lose credibility. That is, of course... assuming there was credibility to lose. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38 iD8DBQFEKXfEfp4vUrVETTgRAzg8AKCEwQHzHdvGwnpJJQZ2tp0N2tyEYACgiXku u/x2zbhvAWFHS/gINWaP+N8= =YUtJ -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Security Alert: Unofficial IE patches appear on internet n3td3v (Mar 28)
- Re: Security Alert: Unofficial IE patches appear on internet Matthew Murphy (Mar 28)
- Re: Security Alert: Unofficial IE patches appear on internet n3td3v (Mar 28)
- Re: Security Alert: Unofficial IE patches appear on internet Micheal Espinola Jr (Mar 28)
- Re: Security Alert: Unofficial IE patches appear on internet n3td3v (Mar 28)
- Re: Security Alert: Unofficial IE patches appear on internet nocfed (Mar 28)
- Re: Security Alert: Unofficial IE patches appear on internet Micheal Espinola Jr (Mar 28)
- Re: Security Alert: Unofficial IE patches appear on internet n3td3v (Mar 28)
- Re: Security Alert: Unofficial IE patches appear on internet Matthew Murphy (Mar 28)
- RE: Security Alert: Unofficial IE patches appearon internet William Lefkovics (Mar 28)
- Re: Security Alert: Unofficial IE patches appear on internet Matthew Murphy (Mar 28)
- Re: Security Alert: Unofficial IE patches appear oninternet GroundZero Security (Mar 29)
- Re: Security Alert: Unofficial IE patches appear oninternet n3td3v (Mar 29)
- Re: Security Alert: Unofficial IE patches appearoninternet (off topic) GroundZero Security (Mar 29)