Slashdot Mirror
Microsoft Admits to Hiding Flaw Details
Spongeform writes "eWeek has an interview with a Microsoft security official admitting to hiding details on software vulnerabilities that are discovered internally. The reason? Microsoft believes that full disclosure of every security-related product change only serves to aid attackers. However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes."
it like that does do one thing: it buys time for them to create a fix.
Only if ou are working on the flawed assumtion that only MS will find the flaws.
I've got news for you:
There are real black hats, and they spend their free time looking for ways to exploit software. It's hubris to think that only MS can find security flaws in their own product.
Besides, this isn't about early disclosure, it's about any disclosure.
System Administrators on the other hand do not have time to reverse engineer the patch, but can read the summary and say "we don't use function blah in program blah, lets apply the patch as it won't affect our operations" or "Holy shit, we have program blah exposed to a hostile network, lets quickly test our stuff & rush the patch out"
And that's the crux of the problem. Of course, given Microsoft's checkered security history, why should this come as a shock? If I were a system administrator, I'd be applying every patch they handed me, on the off chance it's patching an obscure vulnerability I'd never catch in a million years. You can't worry about what Micrososft thinks is severe; while not every vulnerability is immediately exploitable, we've seen how easily unpatched vulnerabilties have allowed the black hats to create botnets overnight. If there's a way, the bad guys will find it, and it's stupid to leave any part of your system vulnerable for too long.
GetOuttaMySpace - The Anti-Social Network
I really disagree. This is security through obscurity, and hiding the plain english description of an available patch only limits the n00b level black hats (scriptkiddies and the like!)
all the information about what is patched is directly available in patch, exposed via a relatively simple decompiling operation. A compare of the newly provided DLL and the original show you clearly what the original lacks. And as such, how you can attack anyone unpatched, or figure out what other DLLs may have such a problem.
I remember helpctr.exe was the first executable I ever did this to. Simple buffer overflow, before SP1.
Browsing with classic discussion, noscript, at -1 and nested
no hidden comments and I only mod UP
Please reread my post.
You write:Most Windows system administrators are not programmers, and of those that are fewer still are technically skilled enough to reverse engineer a binary patch.
Which is exactly what I quoted:The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering,"
It's the attacker doing the reverse engineering, not the sysadmins.
There are shills on slashdot. Apparently, I'm one of them.
Those previous statistics also failed to take into account that most of the vulnerabilities in apps for linux, can also exist if those same apps are installed on windows...
Apps such as Apache for instance, can easily be installed on windows and most of the issues found will affect any platform running the software.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!