RE: Releasing patches is bad for security

[Mike Barushok <barushok () keycreations com>]

I still have not seen the most likely reason for
exploit code being in wide release only after a
patch is available.

I believe that there really is not a clear boundary
between the legitimate and illegtimate exploits.
Historically almost all the well known, big name
individuals in the computer security community started
out as 'hackers'. Aside from the fact that some of
them may still want to write exploits to keep from
getting rusty, they also need to be able to verify
that vulnerabilities that they find are really
exploitable. So, for professional reasons there
is going to be 'proof of concept' code, released
or not. Also, the discovery of a new flaw is a
matter of professional pride, and will be announced
long before the flaw is patched. So others than
the one doing the discovery will attempt to
verify whether there is an exploit.

But, more pertinent than that, is the fact that
once the patch is announced for a flaw, there is
going to be a need to test whether that patch
really fixes the problem it is intended for, and
also a need to see if it fixes related and/or
un-announced flaws. Within the security research
community a wide release of exploit code after
a patch has been announced serves those purposes.
There has been at least one recent patch that Microsoft
pulled, then replaced as a direct result of independent
researchers finding that the original patch was faulty.
No serious security researchers, and especially the
commercial vendors of security services and of
security appliances are going the just believe that
all future patches will be protective without any
means of verifying that assertion.

Microsoft (or at least the person of David Aucsmith),
seemingly thinks that the only exploit code that is
available is that code they are aware of. As long as
they feel that being apart from rather than a part of
the 'security research community', then they have self
imposed blinders on and will continue to evaluate the
online world from a very constrained viewpoint.

Just to add my point of view, for what it is worth.

On Sat, 28 Feb 2004, Brian Taylor wrote:

> > [Ross M. W. Bennetts] 
> > But if a hacker did produce an exploit wouldn't he/she be more likely
> to use it surreptitiously for their own
> > private purposes and then only release it to the kiddies on the net
> after the patch has been released?
>
> <SNIP>
>
> Possibly, Ross.  But that discounts one of the main motivators in the
> hacking community--the "I did it because I could" factor.  I'm not
> pointing you out as an example, but many on the corporate side get
> caught up in discussions of profit (See IDS is worthless thread) or
> sometimes we believe our own propaganda that all hackers are Vladimir
> Levin clones who hack for profit. And yes... Like any entity, we do
> occasionally push out some stretched-truths to prove our point.
> Unfortunately, old David Aucsmith took it to another level...
< major snip>
> Not to refute anyone except Ausmith..  I'm just providing another
> viewpoint, albeit one that a large portion of the hacking community
> shares.  Knowing your enemy helps know their motivations (and modus
> operandi).  
>
> Happy hunting!
>
> --BT
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

--

Mike Barushok
Technical Services KeyCreations.com/KCISP.net/ispKansas.com





---------------------------------------------------------------------------
----------------------------------------------------------------------------