[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security updates are too slow or none existant

Hash: SHA1

On Sunday 08 February 2004 16:20, William Hooper wrote:

> Red Hat is part of a number of non-public groups that discus and fix
> security issues.  Releasing an update into testing before the issue was
> made public would be irresponsible.

Just to amplify this in case anyone is wondering why giving the patch early 
can be considered irresponsible, blackhats can and do compare the binaries 
issued by, for example, Microsoft, to find out what was patched.  Armed with 
this knowledge they can create attacks on the unpatched machines.

Here is a partial quote form a post to Full Disclosure yesterday, for example 
(courtesy of deleon hushmail com, full post at 
http://lists.netsys.com/pipermail/full-disclosure/2004-February/016878.html) :

''...I discover it was a heap overflow and I even found how. The problem
is h323asn1.dll which ms004-04 patch, and microsoft tried to make this
hard to find by changing lost of fake things, but we have no problem
seeing the True Patch. Old function is sub_40fa6d, new is sub_40f627,
?and patch checks a word to see that it is short enough. This word is
actually length of a string that follows (use ethereal to understand
packet) and it can be any length but a few kb is enough to overflow...''

Sort of like Neo being able to see the ebb and flow of information in the 
Matrix, some guys spent so long in IDA that the binary is not so far from the 
source for them....

- -Andy

- -- 
Find your answer without waiting for replies....
Searchable list archives at 
Version: GnuPG v1.2.3 (GNU/Linux)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]