Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs

[Blue Boar <BlueBoar () thievco com>]

Larry Seltzer wrote:
> First if Microsoft patches include unrelated silent patches then I
> would expect, as you say, people would diff the files and examine the
> updates to see what it is they are changing

They do and they do. Ask Halvar about reversing and finding silent
patches. Former Microsoft people have also confirmed that they have
fixed "in-house"-discovered problems.

> and develop POCs for
> them.

Why develop POCs for patched bugs? "They" already have working exploits
for vulns fixed in the same patch to get the unpatched boxes.

> I don't ever recall hearing of an exploit for a bug in Windows
> that turned out to have been silently patched.

I've seen people claim numerous times on mailing lists over the years
that MS finally fixed the vuln they were using. Check with Dave Aitel.

                                        BB
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.