[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dailydave
Subject:    RE: [Dailydave] Microsoft silently fixes security vulnerabilities
From:       "Steve Manzuik" <smanzuik () eeye ! com>
Date:       2006-04-16 5:00:38
Message-ID: D52FCFAE57472647956CBAEDC08DA553A25D20 () av-mail01 ! corp ! int-eeye ! com
[Download RAW message or body]

Hi Marc,

Andre Protas as well as a few of the other guys over at the eEye
Research Team have done a lot of work on analyzing patches and seeing
what is truly fixed and what is not.  In fact, Andre and I presented on
this subject at Blackhat in Amsterdam and offered a few examples.  We
are going to be doing another version of the same presentation (but with
other silently fixed vulns as examples) at AusCERT as well.

My biggest problem with the whole silently fixed patches are that it
makes it tougher for the large end users to do a proper risk assessment
of the patch.  Most of the large enterprises I have been exposed to all
but ignore the vendor risk rating and try to assign a patch their own
internal risk rating.  Without knowing what is truly fixed, it is pretty
tough to do this. 

The next problem with this, that Andre and I demonstrated in our talk,
was that certain signature based protections, do not protect against the
silently fixed vulnerabilities.  So organizations that take their time
to patch because they feel that their security product is protecting
their systems might be surprised.


> Also very interesting is this eEye advisory [2], explaining 
> Microsoft discovered internally the CVE-2005-2120 
> vulnerability and fixed it silently in Windows 2003 without 
> backporting it to earlier Windows versions. eEye then 
> independently rediscovered it, "forcing" Microsoft to release 
> MS05-047 to publicly acknowledge the vuln and backport a fix 
> to all Windows versions. At least, in this case Microsoft 
> doesn't lie and tells the truth in MS05-047 by listing 
> Windows 2003 as not affected.

If you go back even further, long before my time at eEye, and take a
look at the ASN.1 patch of February 2004 you will see other (multiple)
related vulnerabilities fixed.

I am not going to blame Microsoft for doing their own investigation into
issues.  Typically, when someone reports an issue to MS they will look
for other issues that are possibly related and fix those too.  That is a
good thing.  Where they are going wrong is not sharing the details.

Sadly, this is not just a MS problem.  I will go out on a limb here (and
probably get slapped for it) and say that *most* vendors practice this.


Cheers;

Steve Manzuik

[prev in list] [next in list] [prev in thread] [next in thread]