Re: Microsoft issues out-of-band patch

[Valdis.Kletnieks () vt edu]

On Fri, 19 Dec 2008 20:23:57 GMT, n3td3v said:
> You're giving the bad guys clues on what to avoid or will the bad guys
> be aware of all the possible attack vectors the government might be
> using already?

Hint: Think about the attack vectors the government can use to deliver
what is essentially malware, and the attack vectors the bad guys can use
to do the same thing.

They're essentially the same, except that the government has a few more
options on how to implement "cause a major vendor to ship a backdoored
update". Note that OpenSSH, Sendmail, and recently Redhat/Fedora (among
many others) have all had issues in the past with this, even without
governmental interference.

However, note that although the government *could* possibly pull off such a
trick, their hands are somewhat tied, for the exact same reason why in WWII,
the Allies couldn't take full advantage of having broken Enigma, going so far
as to intentionally let some convoys get sunk rather than letting the Germans
know Enigma had been broken.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/