Information Security News mailing list archives

FW: Microsoft failing security test?

From: InfoSec News <isn () c4i org>
Date: Wed, 16 Jan 2002 00:03:39 -0600 (CST)

Forwarded from: "McDonald Patrick" <mcdonald_patrick () bah com>

Chris brought up a very good point and I stand corrected.

Pat

-----Original Message-----
From: Chris Wysopal [mailto:cwysopal () atstake com]
Sent: Monday, January 14, 2002 10:07 PM
To: isn () attrition org; mcdonald_patrick () bah com
Subject: Re: [ISN] Microsoft failing security test?

Forwarded from: McDonald Patrick <mcdonald_patrick () bah com>

I have to respectfully disagree with Chris Wysopal.

<snip>

"Chris Wysopal, director of research and development for security
company @Stake, argued that an early warning can sometimes actually
hurt security, tipping off malicious attackers to the vulnerability."

<snip>

Does early warning help script kiddies, most definitely.  However it
also helps admins protect their systems against these attacks.  A
script kiddie can't use an exploit that an admin has prepared against.
Thus the exploit is useless against an informed admin.


Seems there was some selective <snip>ing.  You left out the part where I
say. "It does make sense to warn people up front that they can take actions
now". If admins/users can take action on their own it is a good idea to let
them know.

The complete context is this:

<snip>

Chris Wysopal, director of research and development for security company
@Stake, argued that an early warning can sometimes actually hurt security,
tipping off malicious attackers to the vulnerability.

Still, Wysopal said, with the Plug and Play incident, Microsoft could have
told customers to just turn off the function if they weren't using it.

"It does make sense to warn people up front that they can take actions
now," Wysopal said. "I would like to see people not rely on patches so
much. I was disappointed with the FBI's retraction (after they) proposed a
solution that did not require a patch."

<snip>

Cheers,

Chris



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

Current thread:

Microsoft failing security test? InfoSec News (Jan 11)
- <Possible follow-ups>
- RE: Microsoft failing security test? InfoSec News (Jan 14)
- Re: Microsoft failing security test? InfoSec News (Jan 15)
- FW: Microsoft failing security test? InfoSec News (Jan 16)