Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft issues out-of-band patch

From: "Some Guy Posting To Full Disclosure" <fd.leach () googlemail com>
Date: Fri, 19 Dec 2008 07:58:58 -0800
Here's an article explaining why Microsoft delays their patching:
<http://en.wikipedia.org/wiki/Patch_Tuesday>

Specifically this bit:
"In order to reduce the costs related to the deployment of patches,
Microsoft introduced the concept of Patch Tuesday. The idea is that
security patches are accumulated over a period of one month, and then
dispatched all at once on an anticipated date which system
administrators can prepare for."

On 12/19/08, Bipin Gautam <bipin.gautam () gmail com> wrote:

stop putting so much of attention to 0-day and possible use of it by
government to get into a terrorist pc.

if breaking into someones pc was a matter of national security
importance 0-day may provide a easy leverage but you really dont need
a 0-day to get into someones pc, neither you'd need a already
existing/known backdoor, neither you'd need to bruteforce into the
advisory or a physical access to it.

all they need to do is poison a unsigned executable/plugin/update with
a backdoor instead, that is being downloaded to the advisory computer
over an unencrypted connection if you can control the network gateway
or have isp level access. such attacks "could" work regardless of the
OS or patch level.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-- 
I'm your best best friend.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: