Thats alright then.
good to know i didnt look for or find any bugs. I wonder why they paid me.
On 28 March 2010 23:45, Larry Seltzer wrote:
> I know because I asked them and they gave me an actual response. In the last
> 18 months they found exactly 1 vulnerability themselves, and they found it
Can you point me to any disclosures for security vulnerabilities you found? Or
were they patched silently?
-Original Message-
From: disco jonny [mailto:discojo...@gmail.com]
Sent: Wednesday, March 31, 2010 8:14 AM
To: Larry Seltzer
Cc: funsec@linuxbox.org
Subject: Re: [funsec] Miller, Pw
isnt this the point of what i said before?
they do do in house security testing after a product has shipped,
however they do not publically release the information for the
security bugs they find and patch - they roll them out with the other
patches. (or service pack)
you can see this if you dif
I have some problems with this scenario.
First if Microsoft patches include unrelated silent patches then I would
expect, as you say, people would diff the files and examine the updates to see
what it is they are changing and develop POCs for them. I don't ever recall
hearing of an exploit for
They do it all the time. Lots of people don't patch.
It's common to see exploits come out for patched vulnerabilities,
especially shortly after a patch Tuesday.
-Original Message-
From: Dan Kaminsky [mailto:d...@doxpara.com]
Sent: Wednesday, March 31, 2010 12:03 PM
To: Larry Seltzer
Cc:
Yes, because if there's one thing people love to do, it's develop
exploits for patched vulnerabilities.
On Mar 31, 2010, at 11:46 AM, "Larry Seltzer"
wrote:
> I have some problems with this scenario.
>
> First if Microsoft patches include unrelated silent patches then I
> would expect, a
On Wed, 31 Mar 2010 12:02:41 EDT, Dan Kaminsky said:
> Yes, because if there's one thing people love to do, it's develop
> exploits for patched vulnerabilities.
Said exploits work really great against unpatched machines, of which there
are far too many.
pgpx8SvfV03aF.pgp
Description: PGP signa
On Wed, Mar 31, 2010 at 12:10 PM, wrote:
> On Wed, 31 Mar 2010 12:02:41 EDT, Dan Kaminsky said:
> > Yes, because if there's one thing people love to do, it's develop
> > exploits for patched vulnerabilities.
>
> Said exploits work really great against unpatched machines, of which there
> are far
someone fill in the blanks here for me?
http://www.v3.co.uk/v3/news/2260510/roles-2020
change or die??? is the security sector involved in this? "Business
Objectives" means
--
been great, thanks
RandyM
a.k.a System
___
Fun and Misc security disc
OK, that wasn't hard.
Here (http://www.exploit-db.com/exploits/11787) is an exploit released
on 3/17.
The vulnerability was patched by Adobe about a month before:
http://www.adobe.com/support/security/bulletins/apsb10-07.html
LJS
___
Fun and
Larry Seltzer wrote:
> First if Microsoft patches include unrelated silent patches then I
> would expect, as you say, people would diff the files and examine the
> updates to see what it is they are changing
They do and they do. Ask Halvar about reversing and finding silent
patches. Former Microso
its quite simple - they find vulns x, y, z, in app 1 then when they
release a pacth for vulns a, b, c (all reported to them from outside
sources) then they also fix xyz. - see my previous two mails.
The main reason (in my humble opinion and in no way microsofts - well
it might be i dont know) is t
On Wed, 31 Mar 2010 11:21:12 CDT, RandallM said:
> change or die??? is the security sector involved in this? "Business
> Objectives" means
Online rather than punch cards means change-or-die.
RDBMS means change-or-die.
Client-server means change-or-die.
Thin-clients means change-or-die.
Inter
Date sent: Wed, 31 Mar 2010 14:48:32 +0200
From: PsychoBilly
> http://science.nasa.gov/headlines/y2006/10mar_stormwarning.htm
Yeah, global (intergalactic?) warming is really creating some freaky weather ...
== (quote inserted randomly by Pegas
Date sent: Wed, 31 Mar 2010 11:21:12 -0500
From: RandallM
> someone fill in the blanks here for me?
Well, I can try, but I suspect that there are a whole lot of them.
> http://www.v3.co.uk/v3/news/2260510/roles-2020
>
> change or die???
Constant change is here t
http://www.cbc.ca/cp/Oddities/100331/K033106AU.html
== (quote inserted randomly by Pegasus Mailer)
rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org
The drop of rain maketh a hole in the stone, not by violence, but
by oft falling.
Read this:
http://www.eweek.com/c/a/Security/Microsoft-Patches-When-Silence-Isnt-Golden/
News Analysis: The software maker admits to withholding details on
security vulnerabilities to protect customers from bad guys, but critics
say that policy increases the risk for everyone.
Microsoft has fesse
Yeah, it's clear I'm wrong about the silent patching. I'm still at a loss as to
why they do it, and I don't understand the proffered reasoning in the eWEEK
article.
-Original Message-
From: Craig Schmugar [mailto:cr...@getvirushelp.com]
Sent: Wednesday, March 31, 2010 7:32 PM
To: disco
disco jonny wrote:
> its quite simple - they find vulns x, y, z, in app 1 then when they
> release a pacth for vulns a, b, c (all reported to them from outside
> sources) then they also fix xyz. - see my previous two mails.
And just to clarify a bit further, you _occasionally_ also see cases
whe
19 matches
Mail list logo
