Re: RE: Microsoft silently fixes security vulnerabilities

[Chris Anley <chris () ngssoftware com>]

H D Moore wrote:
> Silent patching helps attackers by preventing the NIPS/HIPS/VA
> companies from being able to protect their customers. In previous
> pen-test engagements, I preferred to use an unknown, but patched flaw
> over a widely-reported one every time. The admin doesn't know about
> it, the vendor has a patch for it, and I don't have to worry about
> anyone having a signature for it.

Definitely. There's a further problem though - sometimes a fix is only 
silent because the vendor doesn't know they've fixed something.

As someone fixing an overflow (say), if I apply a 'gating' validation to
some input string near the point that string is received and reject
input greater than some presumably safe length, I have not only fixed
the reported bug but also probably a number of related bugs in other
code further down the call tree that I'm unaware of, maybe because
someone else in my company wrote it, or because it's in third-party
code, or even in a third party binary.

The problem is that neither I (the developer following best practice)
nor the vulnerability researcher, nor anyone writing NIPS/HIPS knows 
what bugs were actually fixed by my input validation.

Now, I'm not saying that specific silent fixes don't happen - obviously
they do - I'm just saying that even if that practice is stamped out by a
public outcry, litigation, legislation etc, there'll still be an
intractable problem to solve.

     -chris.