Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Unofficial Microsoft patches help hackers, not security
From: Jeff Workman <jworkman () pimpworks org>
Date: Wed, 04 Jan 2006 15:24:27 -0500

Does "Install this patch immediately!" ring any bells?

-J

--On Wednesday, January 04, 2006 1:56 PM -0600 Todd Towles <toddtowles () brookshires com> wrote:


The experts are just that..experts. How is releasing a patch that cuts
out a vulnerable function in a DLL going to help attackers?

Example??

Releasing patches helps hackers when exploits don't already exist...but
in this case, they do already exist. A patch (even from Microsoft) isn't
going to give hackers/attackers anymore information then they currently
have and are using.

Attackers RCE microsoft patches all the time, to find the vulnerable
function and to create exploits. This is true, but in this case..it isn't
needed.





__________________________________________________
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Joe
Average
Sent: Wednesday, January 04, 2006 12:33 PM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] Unofficial Microsoft patches help hackers, not
security



It has been said on C|NET/SecurityFocus and other places that "experts"
are telling people to use unofficial patches, and to make things worse
the "experts" are releasing patches. You've got to wonder who these
"experts" are. By releasing unofficial patches, all you're doing is
aiding the hackers, it doesn't help the situation one little bit for the
overall picture of protecting Microsoft consumers. The majority of
consumers aren't getting your unofficial patches, but you can be sure the
hackers are using them, and using them to their advantage. If these
unofficial patches weren't being released and experts weren't telling
people to use them, I wouldn't be calling for Microsoft to bring forward
the release date for the patch before the end of the week. It's the
"experts" here who have now made the situation ten times worse, by giving
their very bad advice and releasing their own unofficial patches.

Well done the experts,

You deserve the title after all

More some more:
http://n3td3v.blogspot.com




--
Jeff Workman | jworkman () pimpworks org | http://www.pimpworks.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]