its quite simple - they find vulns x, y, z, in app 1 then when they release a pacth for vulns a, b, c (all reported to them from outside sources) then they also fix xyz. - see my previous two mails.
The main reason (in my humble opinion and in no way microsofts - well it might be i dont know) is that publishing the bugs you find yourself with your in house testing reveals the way you test, and what you do/dont test for. - a lot of companies do not publish this info for this very reason. i see no reason why it is bad or suspicious behaviour. - i guess it is the sensationalist in you that wants to believe that they have not found a bug themselves for a year and a half. anyway, go reverse some patches and see. On 31 March 2010 16:46, Larry Seltzer <[email protected]> wrote: > I have some problems with this scenario. > > First if Microsoft patches include unrelated silent patches then I would > expect, as you say, people would diff the files and examine the updates to > see what it is they are changing and develop POCs for them. I don't ever > recall hearing of an exploit for a bug in Windows that turned out to have > been silently patched. > > Microsoft provides detailed file information the updates (e.g. > http://support.microsoft.com/kb/978251). Since we know exactly which files > are being updated, any silent patch would have to be in a file that was being > patched for some other reason, or at least closely related enough that it > wouldn't arouse suspicion. > > This seems like an odd way to go about things, and to what end? It's been > suggested to me that Microsoft might hide the fact that they are patching > security vulnerabilities that they found themselves to avoid some sort of > liability. I don't see why that works, especially when the alternative they > chose would be to lie to the customers about what files are being updated for > what purpose. The latter seems more likely to get you in legal trouble. > > -----Original Message----- > From: disco jonny [mailto:[email protected]] > Sent: Wednesday, March 31, 2010 11:17 AM > To: Larry Seltzer > Cc: [email protected] > Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find > their own bugs > > isnt this the point of what i said before? > > they do do in house security testing after a product has shipped, > however they do not publically release the information for the > security bugs they find and patch - they roll them out with the other > patches. (or service pack) > > you can see this if you diff the patches and compare to the > advisories. it doesnt happen every patch day. but it does happen. > > I am sure if you read my previous message about this then you will see > that i ahve already said this. > > On 31 March 2010 13:20, Larry Seltzer <[email protected]> wrote: >> Can you point me to any disclosures for security vulnerabilities you found? >> Or were they patched silently? >> >> -----Original Message----- >> From: disco jonny [mailto:[email protected]] >> Sent: Wednesday, March 31, 2010 8:14 AM >> To: Larry Seltzer >> Cc: [email protected] >> Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to >> find their own bugs >> >> Thats alright then. >> >> good to know i didnt look for or find any bugs. I wonder why they paid me. >> >> On 28 March 2010 23:45, Larry Seltzer <[email protected]> wrote: >>> I know because I asked them and they gave me an actual response. In the last >>> 18 months they found exactly 1 vulnerability themselves, and they found it >>> ancillary to looking into the Kaminsky DNS bug after Dan Kaminsky reported >>> that to them. >>> >>> Larry Seltzer >>> Contributing Editor, PC Magazine >>> http://blogs.pcmag.com/securitywatch/ >>> Sent from my BlackBerry >>> >>> ----- Original Message ----- >>> From: disco jonny <[email protected]> >>> To: Larry Seltzer >>> Cc: [email protected] <[email protected]> >>> Sent: Sun Mar 28 16:45:51 2010 >>> Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to >>> find their own bugs >>> >>>> But once the product ships they stop looking. >>> >>> rubbish. I have worked there and seen that they do continual vuln >>> assessment through out a products lifetime. [well for the products i >>> worked on. (office 2k3 & 2k7)] >>> >>> They just dont beat their chest when they patch [they do it silently >>> and push it out with the disclosed vulns] - reverse a few patches and >>> see how many issues are fixed. You seem to often think how it is then >>> state that it is like that - as a fact. it really annoys me. >>> >>> How do you know what ms does and doesnt do? >>> >>> >>> On 27 March 2010 12:58, Larry Seltzer <[email protected]> wrote: >>>> I wrote about this myself a little while ago: >>>> http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vul >>>> ner.php >>>> >>>> Microsoft puts a lot of effort into security research for products under >>>> development. But once the product ships they stop looking. Alex Sotirov >>>> pointed out that Microsoft's customers, by paying iDefense and >>>> TippingPoint and the like, end up paying for research Microsoft should >>>> be doing. Perhaps Microsoft is also a customer of these companies, I >>>> don't know. >>>> >>>> LJS >>>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:[email protected]] >>>> On Behalf Of Juha-Matti Laurio >>>> Sent: Saturday, March 27, 2010 7:24 AM >>>> To: [email protected] >>>> Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to >>>> find their own bugs >>>> >>>> http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Appl >>>> e_Microsoft_to_find_their_own_bugs >>>> >>>> "The only researcher to "three-peat" at the Pwn2Own hacking contest said >>>> today that security is >>>> such a "broken record" that he won't hand over 20 vulnerabilities he's >>>> found in Apple's, >>>> Adobe's and Microsoft's software. >>>> >>>> Instead Charlie Miller will show the vendors how to find the bugs >>>> themselves. >>>> >>>> Miller, who yesterday exploited Safari on a MacBook Pro notebook running >>>> Snow Leopard to win $10,000 in the hacking challenge, >>>> said he's tired of the lack of progress in security. "We find a bug, >>>> they patch it," said Miller. >>>> "We find another bug, they patch it. That doesn't improve the security >>>> of the product." >>>> >>>> Juha-Matti >>>> _______________________________________________ >>>> Fun and Misc security discussion for OT posts. >>>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>>> Note: funsec is a public and open mailing list. >>>> >>>> _______________________________________________ >>>> Fun and Misc security discussion for OT posts. >>>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>>> Note: funsec is a public and open mailing list. >>>> >>> >> > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
