RE: Releasing patches is bad for security

["Dozal, Tim" <tdozal () cisco com>]

After sitting in on some of the discussion at the security conferences
on the MS campus their strategy is as sound as any I have scene
proposed.  They are only releasing out of cycle patches for things that
are wormable.  Other vulnerabilities as they are discovered, no matter
the source of the discovery, are released in scheduled patches.

This is to aid their large customers, the ones who usually take the
longest time to deploy patches, have strict IT policy and also pay a TON
of $$$ to MS for their software.

You miss MS intent with:

I mean.. *really*.. apply a few neurons.  What black hat who didn't just
fall out of a tree is going to reveal his 0-day in a worm before it's
usefulness has dried up?

Those are things they patch in cycle as they are discovered, and trends
show the largest impacting virus threats from these occur AFTER the
patches.  The smart hackers who have early 0-day exploits will always
exist, they are the needle in the haystack not the atomic bomb MS is
trying to deal with in their recent patch changes and policy changes.

2003 and longhorn will be quite a different story, MS has learned
turning everything on for ease of use is not smart or secure so the next
gen stuff is more secure in the idea that if it's not turned on
specifically by the customer it's not turned on at all.  This will make
for a huge reduction in the attack surface of the hosts, again a step in
a long line of steps that are needed to make the entire solution secure.

Tim

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Tuesday, March 02, 2004 8:51 AM
To: Dozal, Tim
Cc: incidents () securityfocus com
Subject: Re: Releasing patches is bad for security 

On Mon, 01 Mar 2004 14:40:40 PST, "Dozal, Tim" <tdozal () cisco com>  said:
> The question to ask yourself is do the vulnerabilities get exploited 
> before or after MS releases the patches.  I think for code red/Nimda 
> MS posted a patch and some 300ish days later the worm hit.  Then move 
> ahead

Note that there's a major logic flaw in here - "vulnerabilities
exploited" is *NOT* the same thing as "worm".  Microsoft *wants* you to
make that logical error, because they don't want you thinking about all
the unpatched holes in IE, and they don't want you thinking about how
many black hats have 0-days that they're not attaching to worms because
then they'd lose the use of that 0-day.

I mean.. *really*.. apply a few neurons.  What black hat who didn't just
fall out of a tree is going to reveal his 0-day in a worm before it's
usefulness has dried up?

If anything, the fact that Nimda was 300 days and Blaster was only 18,
is proof that:

a) The percentage of people patching quickly is going up, *and*
b) this means that throwing away your 0-day on "diminishing returns" is
happening faster.

Obviously, whoever released Nimda was using their 0-day for months after
the patch before enough p[eople closed the hole that they said "screw
this, this one's gotten lame" and launched a worm.  It only took 2 weeks
of concentrated patching before the owner of the Blaster 0-day threw in
the towel....

Remember why we originally *started* the full-disclosure movement -
without it, the vendors won't move and the 0-days will circulate for
*years*.


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------