Yes, because if there's one thing people love to do, it's develop exploits for patched vulnerabilities.
On Mar 31, 2010, at 11:46 AM, "Larry Seltzer" <[email protected]> wrote: > I have some problems with this scenario. > > First if Microsoft patches include unrelated silent patches then I > would expect, as you say, people would diff the files and examine > the updates to see what it is they are changing and develop POCs for > them. I don't ever recall hearing of an exploit for a bug in Windows > that turned out to have been silently patched. > > Microsoft provides detailed file information the updates (e.g. > http://support.microsoft.com/kb/978251 > ). Since we know exactly which files are being updated, any silent > patch would have to be in a file that was being patched for some > other reason, or at least closely related enough that it wouldn't > arouse suspicion. > > This seems like an odd way to go about things, and to what end? It's > been suggested to me that Microsoft might hide the fact that they > are patching security vulnerabilities that they found themselves to > avoid some sort of liability. I don't see why that works, especially > when the alternative they chose would be to lie to the customers > about what files are being updated for what purpose. The latter > seems more likely to get you in legal trouble. > > -----Original Message----- > From: disco jonny [mailto:[email protected]] > Sent: Wednesday, March 31, 2010 11:17 AM > To: Larry Seltzer > Cc: [email protected] > Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, > Microsoft to find their own bugs > > isnt this the point of what i said before? > > they do do in house security testing after a product has shipped, > however they do not publically release the information for the > security bugs they find and patch - they roll them out with the other > patches. (or service pack) > > you can see this if you diff the patches and compare to the > advisories. it doesnt happen every patch day. but it does happen. > > I am sure if you read my previous message about this then you will see > that i ahve already said this. > > On 31 March 2010 13:20, Larry Seltzer <[email protected]> wrote: >> Can you point me to any disclosures for security vulnerabilities >> you found? Or were they patched silently? >> >> -----Original Message----- >> From: disco jonny [mailto:[email protected]] >> Sent: Wednesday, March 31, 2010 8:14 AM >> To: Larry Seltzer >> Cc: [email protected] >> Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, >> Microsoft to find their own bugs >> >> Thats alright then. >> >> good to know i didnt look for or find any bugs. I wonder why they >> paid me. >> >> On 28 March 2010 23:45, Larry Seltzer <[email protected]> wrote: >>> I know because I asked them and they gave me an actual response. >>> In the last >>> 18 months they found exactly 1 vulnerability themselves, and they >>> found it >>> ancillary to looking into the Kaminsky DNS bug after Dan Kaminsky >>> reported >>> that to them. >>> >>> Larry Seltzer >>> Contributing Editor, PC Magazine >>> http://blogs.pcmag.com/securitywatch/ >>> Sent from my BlackBerry >>> >>> ----- Original Message ----- >>> From: disco jonny <[email protected]> >>> To: Larry Seltzer >>> Cc: [email protected] <[email protected]> >>> Sent: Sun Mar 28 16:45:51 2010 >>> Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, >>> Microsoft to >>> find their own bugs >>> >>>> But once the product ships they stop looking. >>> >>> rubbish. I have worked there and seen that they do continual vuln >>> assessment through out a products lifetime. [well for the products i >>> worked on. (office 2k3 & 2k7)] >>> >>> They just dont beat their chest when they patch [they do it silently >>> and push it out with the disclosed vulns] - reverse a few patches >>> and >>> see how many issues are fixed. You seem to often think how it is >>> then >>> state that it is like that - as a fact. it really annoys me. >>> >>> How do you know what ms does and doesnt do? >>> >>> >>> On 27 March 2010 12:58, Larry Seltzer <[email protected]> >>> wrote: >>>> I wrote about this myself a little while ago: >>>> http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vul >>>> ner.php >>>> >>>> Microsoft puts a lot of effort into security research for >>>> products under >>>> development. But once the product ships they stop looking. Alex >>>> Sotirov >>>> pointed out that Microsoft's customers, by paying iDefense and >>>> TippingPoint and the like, end up paying for research Microsoft >>>> should >>>> be doing. Perhaps Microsoft is also a customer of these >>>> companies, I >>>> don't know. >>>> >>>> LJS >>>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:funsec- >>>> [email protected]] >>>> On Behalf Of Juha-Matti Laurio >>>> Sent: Saturday, March 27, 2010 7:24 AM >>>> To: [email protected] >>>> Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft >>>> to >>>> find their own bugs >>>> >>>> http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Appl >>>> e_Microsoft_to_find_their_own_bugs >>>> >>>> "The only researcher to "three-peat" at the Pwn2Own hacking >>>> contest said >>>> today that security is >>>> such a "broken record" that he won't hand over 20 vulnerabilities >>>> he's >>>> found in Apple's, >>>> Adobe's and Microsoft's software. >>>> >>>> Instead Charlie Miller will show the vendors how to find the bugs >>>> themselves. >>>> >>>> Miller, who yesterday exploited Safari on a MacBook Pro notebook >>>> running >>>> Snow Leopard to win $10,000 in the hacking challenge, >>>> said he's tired of the lack of progress in security. "We find a >>>> bug, >>>> they patch it," said Miller. >>>> "We find another bug, they patch it. That doesn't improve the >>>> security >>>> of the product." >>>> >>>> Juha-Matti >>>> _______________________________________________ >>>> Fun and Misc security discussion for OT posts. >>>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>>> Note: funsec is a public and open mailing list. >>>> >>>> _______________________________________________ >>>> Fun and Misc security discussion for OT posts. >>>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>>> Note: funsec is a public and open mailing list. >>>> >>> >> > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
