RE: Half-Life 2 source code stolen through IE exploit

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Brown, Rodrick [mailto:rbrown () doitt nyc gov] 
> Sent: Monday, October 06, 2003 12:01 PM
> To: Trey Mujakporue/UK/Tesco; full-disclosure () lists netsys com
> Cc: nick () virus-l demon co uk
> Subject: RE: [Full-disclosure] Half-Life 2 source code stolen 
> through IE exploit
>
> I don't see how Microsoft is at fault? This was a known bug 
> released by Microsoft months ago if they had adequate patches 
> or even a decent security protocol in placed this would never 
> have happened. 

You are either terribly confused or mis- or un-informed.  The patch
(MS03-040) that "fixes" this problem (and we won't really know that it
does until people like Thor have had time to test it thoroughly - after
all, past experience tells us that Microsoft *saying* that it's fixed is
unreliable) was just released last Wednesday, well after Valve was
broken into.  The patch that *supposedly* fixed it (MS03-032) was
released a while ago, and I believe I recall Valve saying that they had
applied that one.  But Microsoft has known for months that that patch
did *not* fix the problem, and yet they waited until it was being
actively exploited in a massive way before issuing a "fix".

So this is a *clear cut* case where Microsoft is completely at fault and
the admins are completely innocent (other than the side issues of
whether or not they should have development servers on the Internet or
not and whether or not they should use Microsoft products at all.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html