Re: Releasing patches is bad for security

[Valdis.Kletnieks () vt edu]

On Mon, 01 Mar 2004 14:40:40 PST, "Dozal, Tim" <tdozal () cisco com>  said:
> The question to ask yourself is do the vulnerabilities get exploited
> before or after MS releases the patches.  I think for code red/Nimda MS
> posted a patch and some 300ish days later the worm hit.  Then move ahead

Note that there's a major logic flaw in here - "vulnerabilities exploited" is *NOT*
the same thing as "worm".  Microsoft *wants* you to make that logical error,
because they don't want you thinking about all the unpatched holes in IE, and
they don't want you thinking about how many black hats have 0-days that they're
not attaching to worms because then they'd lose the use of that 0-day.

I mean.. *really*.. apply a few neurons.  What black hat who didn't just fall out
of a tree is going to reveal his 0-day in a worm before it's usefulness has dried up?

If anything, the fact that Nimda was 300 days and Blaster was only 18, is proof that:

a) The percentage of people patching quickly is going up, *and*
b) this means that throwing away your 0-day on "diminishing returns" is happening
faster.

Obviously, whoever released Nimda was using their 0-day for months after the
patch before enough p[eople closed the hole that they said "screw this, this one's
gotten lame" and launched a worm.  It only took 2 weeks of concentrated patching
before the owner of the Blaster 0-day threw in the towel....

Remember why we originally *started* the full-disclosure movement - without it,
the vendors won't move and the 0-days will circulate for *years*.

Attachment: _bin
Description: