isnt this the point of what i said before? they do do in house security testing after a product has shipped, however they do not publically release the information for the security bugs they find and patch - they roll them out with the other patches. (or service pack)
you can see this if you diff the patches and compare to the advisories. it doesnt happen every patch day. but it does happen. I am sure if you read my previous message about this then you will see that i ahve already said this. On 31 March 2010 13:20, Larry Seltzer <[email protected]> wrote: > Can you point me to any disclosures for security vulnerabilities you found? > Or were they patched silently? > > -----Original Message----- > From: disco jonny [mailto:[email protected]] > Sent: Wednesday, March 31, 2010 8:14 AM > To: Larry Seltzer > Cc: [email protected] > Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find > their own bugs > > Thats alright then. > > good to know i didnt look for or find any bugs. I wonder why they paid me. > > On 28 March 2010 23:45, Larry Seltzer <[email protected]> wrote: >> I know because I asked them and they gave me an actual response. In the last >> 18 months they found exactly 1 vulnerability themselves, and they found it >> ancillary to looking into the Kaminsky DNS bug after Dan Kaminsky reported >> that to them. >> >> Larry Seltzer >> Contributing Editor, PC Magazine >> http://blogs.pcmag.com/securitywatch/ >> Sent from my BlackBerry >> >> ----- Original Message ----- >> From: disco jonny <[email protected]> >> To: Larry Seltzer >> Cc: [email protected] <[email protected]> >> Sent: Sun Mar 28 16:45:51 2010 >> Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to >> find their own bugs >> >>> But once the product ships they stop looking. >> >> rubbish. I have worked there and seen that they do continual vuln >> assessment through out a products lifetime. [well for the products i >> worked on. (office 2k3 & 2k7)] >> >> They just dont beat their chest when they patch [they do it silently >> and push it out with the disclosed vulns] - reverse a few patches and >> see how many issues are fixed. You seem to often think how it is then >> state that it is like that - as a fact. it really annoys me. >> >> How do you know what ms does and doesnt do? >> >> >> On 27 March 2010 12:58, Larry Seltzer <[email protected]> wrote: >>> I wrote about this myself a little while ago: >>> http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vul >>> ner.php >>> >>> Microsoft puts a lot of effort into security research for products under >>> development. But once the product ships they stop looking. Alex Sotirov >>> pointed out that Microsoft's customers, by paying iDefense and >>> TippingPoint and the like, end up paying for research Microsoft should >>> be doing. Perhaps Microsoft is also a customer of these companies, I >>> don't know. >>> >>> LJS >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] >>> On Behalf Of Juha-Matti Laurio >>> Sent: Saturday, March 27, 2010 7:24 AM >>> To: [email protected] >>> Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to >>> find their own bugs >>> >>> http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Appl >>> e_Microsoft_to_find_their_own_bugs >>> >>> "The only researcher to "three-peat" at the Pwn2Own hacking contest said >>> today that security is >>> such a "broken record" that he won't hand over 20 vulnerabilities he's >>> found in Apple's, >>> Adobe's and Microsoft's software. >>> >>> Instead Charlie Miller will show the vendors how to find the bugs >>> themselves. >>> >>> Miller, who yesterday exploited Safari on a MacBook Pro notebook running >>> Snow Leopard to win $10,000 in the hacking challenge, >>> said he's tired of the lack of progress in security. "We find a bug, >>> they patch it," said Miller. >>> "We find another bug, they patch it. That doesn't improve the security >>> of the product." >>> >>> Juha-Matti >>> _______________________________________________ >>> Fun and Misc security discussion for OT posts. >>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>> Note: funsec is a public and open mailing list. >>> >>> _______________________________________________ >>> Fun and Misc security discussion for OT posts. >>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>> Note: funsec is a public and open mailing list. >>> >> > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
