Re: Releasing patches is bad for security

["Pall Thayer" <pall () fa is>]

According to slashdot he also said "I can only think of one time that a
vulnerability was exploited before a patch was issued." Apparently he said
this shortly after saying "We have never had vulnerabilities exploited
before the patch was known."


Pall Thayer
artist/teacher
Fjolbrautaskolinn vid Armula
http://www.this.is/pallit
http://www.this.is/pallit/isjs
http://www.this.is/pallit/harmony
http://130.208.220.190/panse

----- Original Message ----- 
From: "Curt Purdy" <purdy () tecman com>
To: "'Chris Brenton'" <cbrenton () chrisbrenton org>;
<incidents () securityfocus com>
Sent: Thursday, February 26, 2004 8:05 PM
Subject: RE: Releasing patches is bad for security


> Chris Brenton wrote:
>
> > This is just such a hoot I had to share:
> > http://news.bbc.co.uk/1/hi/technology/3485972.stm
> > The story quotes David Aucsmith, who is in charge of technology at
> > Microsoft's security business and technology unit as stating:
> >
> > "We have never had vulnerabilities exploited before the patch was
> > known,"
>
> Then how did I get a copy of dcom.exe 2 days before they released the DCom
> RPC patch.  And it was surely in the deep underground longer than that.  A
> very effective exploit too, giving you a command line in 5 seconds on an
> unpatched box.
>
> I would call it less of a hoot and more like a baldface lie.
>
> Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
> Information Security Engineer
> DP Solutions
>
> ----------------------------------------
>
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- White House cybersecurity adviser Richard Clarke
>
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--


---------------------------------------------------------------------------
----------------------------------------------------------------------------