Security Incidents mailing list archives
RE: Releasing patches is bad for security
From: Mike Barushok <barushok () keycreations com>
Date: Sun, 29 Feb 2004 13:50:35 -0600 (CST)
I still have not seen the most likely reason for exploit code being in wide release only after a patch is available. I believe that there really is not a clear boundary between the legitimate and illegtimate exploits. Historically almost all the well known, big name individuals in the computer security community started out as 'hackers'. Aside from the fact that some of them may still want to write exploits to keep from getting rusty, they also need to be able to verify that vulnerabilities that they find are really exploitable. So, for professional reasons there is going to be 'proof of concept' code, released or not. Also, the discovery of a new flaw is a matter of professional pride, and will be announced long before the flaw is patched. So others than the one doing the discovery will attempt to verify whether there is an exploit. But, more pertinent than that, is the fact that once the patch is announced for a flaw, there is going to be a need to test whether that patch really fixes the problem it is intended for, and also a need to see if it fixes related and/or un-announced flaws. Within the security research community a wide release of exploit code after a patch has been announced serves those purposes. There has been at least one recent patch that Microsoft pulled, then replaced as a direct result of independent researchers finding that the original patch was faulty. No serious security researchers, and especially the commercial vendors of security services and of security appliances are going the just believe that all future patches will be protective without any means of verifying that assertion. Microsoft (or at least the person of David Aucsmith), seemingly thinks that the only exploit code that is available is that code they are aware of. As long as they feel that being apart from rather than a part of the 'security research community', then they have self imposed blinders on and will continue to evaluate the online world from a very constrained viewpoint. Just to add my point of view, for what it is worth. On Sat, 28 Feb 2004, Brian Taylor wrote:
[Ross M. W. Bennetts] But if a hacker did produce an exploit wouldn't he/she be more likelyto use it surreptitiously for their ownprivate purposes and then only release it to the kiddies on the netafter the patch has been released? <SNIP> Possibly, Ross. But that discounts one of the main motivators in the hacking community--the "I did it because I could" factor. I'm not pointing you out as an example, but many on the corporate side get caught up in discussions of profit (See IDS is worthless thread) or sometimes we believe our own propaganda that all hackers are Vladimir Levin clones who hack for profit. And yes... Like any entity, we do occasionally push out some stretched-truths to prove our point. Unfortunately, old David Aucsmith took it to another level...
< major snip>
Not to refute anyone except Ausmith.. I'm just providing another viewpoint, albeit one that a large portion of the hacking community shares. Knowing your enemy helps know their motivations (and modus operandi). Happy hunting! --BT --------------------------------------------------------------------------- ----------------------------------------------------------------------------
-- Mike Barushok Technical Services KeyCreations.com/KCISP.net/ispKansas.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Releasing patches is bad for security Mike Barushok (Mar 01)
- <Possible follow-ups>
- Re: Releasing patches is bad for security Valdis . Kletnieks (Mar 01)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 02)
- RE: Releasing patches is bad for security Jerry Shenk (Mar 02)
- Re: Releasing patches is bad for security Valdis . Kletnieks (Mar 03)
- RE: Releasing patches is bad for security Davis, Kyle (Mar 02)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 03)
- RE: Releasing patches is bad for security James P. Saveker (Mar 03)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 03)
- Dead Thread: Releasing patches is bad for security Dan Hanson (Mar 03)