Re: Security Alert: Unofficial IE patches appearoninternet (off topic)

["GroundZero Security" <fd () g-0 org>]

> "Imaginary and pretending"... I like that one. 

Sure you like that, because that is the definition of n3td3v.

  ----- Original Message ----- 
  From: n3td3v 
  To: full-disclosure () lists grok org uk 
  Sent: Wednesday, March 29, 2006 3:29 PM
  Subject: Re: [Full-disclosure] Security Alert: Unofficial IE patches appearoninternet


  On 3/29/06, GroundZero Security <fd () g-0 org> wrote:
    Oh shut up i thought you have unsubscribed from this list ?
    You claim that your imaginary people work for microsoft,
    so why dont you simply tell them to act up instead of 
    annoying everyone here on FD. Stop pretending and get lost.



    Inofficial patches are not evil no matter what you think about them.
    You have no clue anyway....do you even know what a patch is ?
    Unofficial patches are just ment as initial help until a proper patch 
    is out, not for mission critical systems. Microsoft needs time to 
    develope a proper patch as they can't simply throw together a patch, 
    but also have to test if it wont break any existing software etc as 
    windows is so windely used on tons of different platforms and along 
    with so many Software products, that they have to make sure its all 
    stable. Sure they cant always have perfect results, but if you have 
    to bitch so much about it, why dont you write a proper patch?
    oh yes i forgot, you can't code.......'


  You should hear yourself. You say you've been around since 1994 but you ramble some spit about basic knowledge about 
"all platforms need to be tested". Yeah, we all know this, like this is FD, we all have expertise in this field. 

   

    Another funny thing you said to someone: 
    "There you go on assuming my knowledge base, even though i've 
    been around the security scene longer than you."

    Well i remember your old mails where you bragged about having 
    +6 years expirience in the security field. so you came around 
    1999/2000 ..i started in 1994, so i can lay down the same attitude 

  To be honest I DON'T care when you started, but you don't come across as someone who has worked in the industry since 
1994, far from it. Maybe you should look at your own performance on FD, before you start bashing the n3td3v security 
group and the founder. 

   
    on you kiddie, isnt it? Besides of that, it doesnt matter if you hang 
    on irc since 20 years, it matters what you did in that time. 

  IRC? You're having a laugh right...


    Others learn and improove, while you just try to look cool with your 
    imaginary group, yet you still expect that someone takes you serious here.

  You seem to think a handful of trolls on FD (you) bashing the n3td3v group is representative of anything credible.

  ----- Original Message ----- 
    From: n3td3v 
    To: full-disclosure () lists grok org uk 
    Sent: Tuesday, March 28, 2006 8:46 PM
    Subject: Re: [Full-disclosure] Security Alert: Unofficial IE patches appear oninternet

     
    On 3/28/06, Matthew Murphy <mattmurphy () kc rr com > wrote: 
      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: RIPEMD160


      Newsflash, idiot: you're not the first one to think of this.  Plenty of 
      people at Microsoft beat you to the punch.  When the threat environment
      created by a vulnerability is as serious as this case and the available
      code-independent workarounds (i.e., other than patches) are so poor, 
      Microsoft will be inclined strongly against holding on to this patch.

    Matthew firstly starts off his rant by claiming n3td3v is an idiot and then uses some clever words to talk about 
something thats not entirely clear, but I guess what he is trying to say is hidden inbetween his wording. 


      I'd venture to bet that Microsoft will make this patch available as soon
      as they're confident in the quality of it.  Their first patch day is, at 
      this point, nothing more than a benchmark.  They might beat it but they
      almost certainly won't fall short of it unless there are major quality
      issues.

    You would venture to bet? Theres no betting involved. They do only release a patch after Q.A testing. Although they 
can in certain situations bring forward a patch sooner. Its not about beating a patch day. Microsoft often have patches 
ready but wait for the corporate known about Tuesday and Thursday press release days that all corporations globally 
adhere to in the world of security and otherwise. 


      The other thing that you obviously have no clue of is that even a
      release on patch Tuesday is "out-of-cycle" as far as Microsoft's test 
      processes are concerned.  Microsoft normally issues IE patches on a two
      month cycle -- February, April, June, August, October, December.


    The other thing I "obviously" have no clue about? There you go on assuming my knowledge base, even though i've been 
around the security scene longer than you. Sure, Microsoft have a "comfortable" release cycle, although thats just to 
space everything out in their minds as a corporation. Remember the days before Microsoft started patch tuesday? Yeah, 
they would release critical patches whenever they see fit. To me the mistake was that they started "Patch Tuesday", so 
as a corporation, even though its a good thing for normal bug fixes to be issues only once monthly, it makes it harder 
for Microsoft to release a patch out of cycle for "critical flaws". You seem to think theres not employees at Microsoft 
who don't want to release patches inbetween patch tuesday. You're wrong, behind the scenes at Microsft right now theres 
loads of people saying, "we want to release inbetween patch tuesday for critical flaws, but because we've invented 
patch tuesday for flaws generally, the more we do release patches inbeween patch tuesday, the more it weakness to our 
patch tuesday policy" "We think patch tuesday is good, but it restricts us to push out patches inbetween that, because 
we want to keep credibility to our patch release day for all other flaws". So you see, its not that Microsoft don't 
agree with out of cycle patch releases, its just they don't want to spoil their overall patch tuesday policy. Microsoft 
don't like to send out mixed messages, so until the higher folks at MS start listening, then patch tuesday will 
continue to pose a threat for when critical remote access flaws come along. 


      You can bet that they don't release patches for non-public
      vulnerabilities with a mere 20 days of testing (and that assumes they 
      started on the patch the day the issue was published).  When I reported
      a vulnerability in August that was (originally) scheduled for a
      bulletin, Microsoft said that if it made a bulletin, the earliest would
      be December.  That was just shy of four months, and they weren't even
      certain it would make that release cycle.  Microsoft doesn't have that
      kind of time here, and it's a damn sure bet that they aren't taking it.


    We're not talking about non-public flaws! I'm talking about 0-day that goes into the wild, where exploit code is 
then release, and where media hype is created and then eeye and the others create a bigger security issue than the 
intial flaw. 


      Some good documentation on Microsoft's patch development processes (and
      how they vary for products) would help you avoid this ignorant and 
      noobish mistake and put an end to ignorant media reporting about how
      Microsoft is sticking to its schedule with this patch -- which couldn't
      be much further from the truth.

    Microsoft are about to relase out of its cycle again for this IE vulnerability, accroding to my contacts.The patch 
tuesday policy is only just a new thing, they would before release a patch at any time of their choosing. Because of 
patch tuesday, it now makes it more difficult for them to break this, as you would know if you had worked for a 
multinational before, they don't like to backtrack on a policy which is more than acceptable for non critical flaws, 
its only the issues of critical flaws hitting the wild, where exploit code is released, where media hype is created and 
then where folks like eeye release a patch, which will only ever be avaiable to the security community and all of its 
malicious users, where script kids can patch systems for their own evil agendas, and or also seperate, phishers can 
release bogus eeye patches, or release a patch under another name with malicious code inserted, a lot of the time to 
execute another malicious code, unrelated to the intial exploit code vulnerability. 


      I guess it's easier to bash Microsoft for made-up, delusional reasons
      like "they're standing and watching while people get 0wn3d!" than for 
      the real reasons (i.e., a six-month "standard procedure" patch process).
      Those in the latter category actually require some work to understand,
      and apparently don't give people the instant ego boost of thinking 
      they're "taking on the monopoly".


    NO, i'm not anti-Microsoft, lots of my friends work there. The only evil is folks like eEye providing tools 
(patches) to the security community, where legitimate users will never get a hold of, but you can bet malicious users 
will and use the patch to their advantage. 

    Microsoft only ever releases out of its new patch tuesday cycle when eeye and all the others release third party 
patches. If you really were pro Microsoft, you would be behind me in calling for all third party patches to be slammed 
as a bad thing for Microsoft and the security community and the public at large. Theres folks at Microsoft in complete 
agreement at what i'm saying. Who agree, like me, that patch tuesday is a good thing normally, but as soon as the evil 
third patches are released, then Microsoft has no choice but to release out of cycle. 

    If you had contacts at Microsoft like I do, you would realise everything i'm saying is in line with what 
individuals within ms are thinking.

    Patch Tuesday = Good before third party patches appear
    Third party patch = Evil
    Patch Tuesday = Bad for everyone after third party patches appear, even Microsoft, because they hate breaking out 
of the Patch Tuesday policy, even though a lot of athe time a patch is ready for distrubution, Microsoft don't want to 
break out of company policy, even though indviduals at Micrsoft wish it was easier for a multinational to backtrack on 
its policy for critical *public 0-day* 




     


----------------------------------------------------------------------------



    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/ 


    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/






------------------------------------------------------------------------------


  _______________________________________________
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/