Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Unofficial Microsoft patches help hackers, not security
From: "Todd Towles" <toddtowles () brookshires com>
Date: Wed, 4 Jan 2006 13:56:16 -0600

The experts are just that..experts. How is releasing a patch that cuts
out a vulnerable function in a DLL going to help attackers?
Releasing patches helps hackers when exploits don't already exist...but
in this case, they do already exist. A patch (even from Microsoft) isn't
going to give hackers/attackers anymore information then they currently
have and are using.
Attackers RCE microsoft patches all the time, to find the vulnerable
function and to create exploits. This is true, but in this case..it
isn't needed. 


        From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Joe
        Sent: Wednesday, January 04, 2006 12:33 PM
        To: full-disclosure () lists grok org uk
        Subject: [Full-disclosure] Unofficial Microsoft patches help
hackers, not security
        It has been said on C|NET/SecurityFocus and other places that
"experts" are telling people to use unofficial patches, and to make
things worse the "experts" are releasing patches. You've got to wonder
who these "experts" are. By releasing unofficial patches, all you're
doing is aiding the hackers, it doesn't help the situation one little
bit for the overall picture of protecting Microsoft consumers. The
majority of consumers aren't getting your unofficial patches, but you
can be sure the hackers are using them, and using them to their
advantage. If these unofficial patches weren't being released and
experts weren't telling people to use them, I wouldn't be calling for
Microsoft to bring forward the release date for the patch before the end
of the week. It's the "experts" here who have now made the situation ten
times worse, by giving their very bad advice and releasing their own
unofficial patches. 
        Well done the experts,
        You deserve the title after all
        More some more:

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]