Yeah, it's clear I'm wrong about the silent patching. I'm still at a loss as to why they do it, and I don't understand the proffered reasoning in the eWEEK article.
-----Original Message----- From: Craig Schmugar [mailto:cr...@getvirushelp.com] Sent: Wednesday, March 31, 2010 7:32 PM To: disco jonny Cc: Larry Seltzer; funsec@linuxbox.org Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Read this: http://www.eweek.com/c/a/Security/Microsoft-Patches-When-Silence-Isnt-Golden/ News Analysis: The software maker admits to withholding details on security vulnerabilities to protect customers from bad guys, but critics say that policy increases the risk for everyone. Microsoft has fessed up to hiding details on software vulnerabilities that are discovered internally, insisting that full disclosure of every security-related product change only serves to aid attackers. ... In an interview with eWEEK, Mike Reavey, operations manager of the MSRC (Microsoft Security Response Center), said the companys policy is to document the existence of internally discovered flaws as well as the area of functionality where the change occurred, but that full details on the fixes are withheld for a very good reason. "We want to make sure we dont give attackers any [additional] information that could be used against our customers. There is a balance between providing information to assess risk and giving out information that aids attackers," Reavey said. When Microsoft receives a report of a security flaw from external researchers, Reavey said, the MSRC conducts an extensive investigation to look at all the surrounding code to make sure a comprehensive fix is pushed out the door. If a related bug is found internally, it will be fixed in the eventual patch, he said, but the details will be kept under wraps. ---- They silently patch public vulns too, like: http://browserfun.blogspot.com/2006/08/orphan-objects-bug-was-silently-fixed.html#links MoBB #30 was silently fixed last Tuesday by Microsoft's cumulative security patch for Internet Explorer (MS06-042). http://www.sans.org/newsletters/risk/display.php?v=7&i=17 Status: Microsoft confirmed, updates available. This vulnerability was silently patched in Microsoft Security Bulletin MS07-069. Users can mitigate the impact of this vulnerability by disabling the affected control via Microsoft's "kill bit" mechanism using CLSID "E5D419D6-A846-4514-9FAD-97E826C84822". Note that this will affect normal application functionality. -Craig On Wed, 2010-03-31 at 18:47 +0100, disco jonny wrote: > its quite simple - they find vulns x, y, z, in app 1 then when they > release a pacth for vulns a, b, c (all reported to them from outside > sources) then they also fix xyz. - see my previous two mails. > > The main reason (in my humble opinion and in no way microsofts - well > it might be i dont know) is that publishing the bugs you find yourself > with your in house testing reveals the way you test, and what you > do/dont test for. - a lot of companies do not publish this info for > this very reason. i see no reason why it is bad or suspicious > behaviour. - i guess it is the sensationalist in you that wants to > believe that they have not found a bug themselves for a year and a > half. > > anyway, go reverse some patches and see. > > > On 31 March 2010 16:46, Larry Seltzer <la...@larryseltzer.com> wrote: > > I have some problems with this scenario. > > > > First if Microsoft patches include unrelated silent patches then I would > > expect, as you say, people would diff the files and examine the updates to > > see what it is they are changing and develop POCs for them. I don't ever > > recall hearing of an exploit for a bug in Windows that turned out to have > > been silently patched. > > > > Microsoft provides detailed file information the updates (e.g. > > http://support.microsoft.com/kb/978251). Since we know exactly which files > > are being updated, any silent patch would have to be in a file that was > > being patched for some other reason, or at least closely related enough > > that it wouldn't arouse suspicion. > > > > This seems like an odd way to go about things, and to what end? It's been > > suggested to me that Microsoft might hide the fact that they are patching > > security vulnerabilities that they found themselves to avoid some sort of > > liability. I don't see why that works, especially when the alternative they > > chose would be to lie to the customers about what files are being updated > > for what purpose. The latter seems more likely to get you in legal trouble. > > > > -----Original Message----- > > From: disco jonny [mailto:discojo...@gmail.com] > > Sent: Wednesday, March 31, 2010 11:17 AM > > To: Larry Seltzer > > Cc: funsec@linuxbox.org > > Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to > > find their own bugs > > > > isnt this the point of what i said before? > > > > they do do in house security testing after a product has shipped, > > however they do not publically release the information for the > > security bugs they find and patch - they roll them out with the other > > patches. (or service pack) > > > > you can see this if you diff the patches and compare to the > > advisories. it doesnt happen every patch day. but it does happen. > > > > I am sure if you read my previous message about this then you will see > > that i ahve already said this. > > > > On 31 March 2010 13:20, Larry Seltzer <la...@larryseltzer.com> wrote: > >> Can you point me to any disclosures for security vulnerabilities you > >> found? Or were they patched silently? > >> > >> -----Original Message----- > >> From: disco jonny [mailto:discojo...@gmail.com] > >> Sent: Wednesday, March 31, 2010 8:14 AM > >> To: Larry Seltzer > >> Cc: funsec@linuxbox.org > >> Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to > >> find their own bugs > >> > >> Thats alright then. > >> > >> good to know i didnt look for or find any bugs. I wonder why they paid me. > >> > >> On 28 March 2010 23:45, Larry Seltzer <la...@larryseltzer.com> wrote: > >>> I know because I asked them and they gave me an actual response. In the > >>> last > >>> 18 months they found exactly 1 vulnerability themselves, and they found it > >>> ancillary to looking into the Kaminsky DNS bug after Dan Kaminsky reported > >>> that to them. > >>> > >>> Larry Seltzer > >>> Contributing Editor, PC Magazine > >>> http://blogs.pcmag.com/securitywatch/ > >>> Sent from my BlackBerry > >>> > >>> ----- Original Message ----- > >>> From: disco jonny <discojo...@gmail.com> > >>> To: Larry Seltzer > >>> Cc: funsec@linuxbox.org <funsec@linuxbox.org> > >>> Sent: Sun Mar 28 16:45:51 2010 > >>> Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to > >>> find their own bugs > >>> > >>>> But once the product ships they stop looking. > >>> > >>> rubbish. I have worked there and seen that they do continual vuln > >>> assessment through out a products lifetime. [well for the products i > >>> worked on. (office 2k3 & 2k7)] > >>> > >>> They just dont beat their chest when they patch [they do it silently > >>> and push it out with the disclosed vulns] - reverse a few patches and > >>> see how many issues are fixed. You seem to often think how it is then > >>> state that it is like that - as a fact. it really annoys me. > >>> > >>> How do you know what ms does and doesnt do? > >>> > >>> > >>> On 27 March 2010 12:58, Larry Seltzer <la...@larryseltzer.com> wrote: > >>>> I wrote about this myself a little while ago: > >>>> http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vul > >>>> ner.php > >>>> > >>>> Microsoft puts a lot of effort into security research for products under > >>>> development. But once the product ships they stop looking. Alex Sotirov > >>>> pointed out that Microsoft's customers, by paying iDefense and > >>>> TippingPoint and the like, end up paying for research Microsoft should > >>>> be doing. Perhaps Microsoft is also a customer of these companies, I > >>>> don't know. > >>>> > >>>> LJS > >>>> > >>>> -----Original Message----- > >>>> From: funsec-boun...@linuxbox.org [mailto:funsec-boun...@linuxbox.org] > >>>> On Behalf Of Juha-Matti Laurio > >>>> Sent: Saturday, March 27, 2010 7:24 AM > >>>> To: funsec@linuxbox.org > >>>> Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to > >>>> find their own bugs > >>>> > >>>> http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Appl > >>>> e_Microsoft_to_find_their_own_bugs > >>>> > >>>> "The only researcher to "three-peat" at the Pwn2Own hacking contest said > >>>> today that security is > >>>> such a "broken record" that he won't hand over 20 vulnerabilities he's > >>>> found in Apple's, > >>>> Adobe's and Microsoft's software. > >>>> > >>>> Instead Charlie Miller will show the vendors how to find the bugs > >>>> themselves. > >>>> > >>>> Miller, who yesterday exploited Safari on a MacBook Pro notebook running > >>>> Snow Leopard to win $10,000 in the hacking challenge, > >>>> said he's tired of the lack of progress in security. "We find a bug, > >>>> they patch it," said Miller. > >>>> "We find another bug, they patch it. That doesn't improve the security > >>>> of the product." > >>>> > >>>> Juha-Matti > >>>> _______________________________________________ > >>>> Fun and Misc security discussion for OT posts. > >>>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > >>>> Note: funsec is a public and open mailing list. > >>>> > >>>> _______________________________________________ > >>>> Fun and Misc security discussion for OT posts. > >>>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > >>>> Note: funsec is a public and open mailing list. > >>>> > >>> > >> > > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
