[Dshield] Re: [Larholm/PivX] Proxy attackers/hijackers

Thor Larholm thor at pivx.com
Sat Oct 18 19:39:52 GMT 2003


> From: "John Sage" <jsage at finchhaven.com>
> A thought or two..

John, your thoughts are appreciated, I'll try to address the points that are
relevant to the list and not just dirt throwing.

> http://www.pivx.com/larholm/unpatched/

When I first started listing unpatched Internet Explorer vulnerabilities,
Microsofts attitude and commitment to security was on a completely different
level. At times, it could be difficult to even notify them about new
vulnerabilities. That is why I made the page, to apply public scrutiny and
pressure on Microsoft for them to fix the vulnerabilities and change their
approach.

I believe that goal has been accomplished and the page has served its purpose.
The MSRC division is now quick and effective both in responding and gathering
neccessary ressources to fix all the short-term critical vulnerabilities, the IE
Security team is working on very promising architectural changes for the
long-term solutions and I know that all of the unpatched vulnerabilities left on
my list are having patches produced.

What more could you want from the list after having accomplished that, except to
bash Microsoft? We want to be a part of the solution and help secure Windows
systems. After all, is that not our goal - to promote and achieve higher levels
of security?

We are moving on to new initiatives and efforts that can promote security, and
part of that is our mailinglist where we will be exclusively announcing most of
our research. Any of the thousands of visitors to Unpatched we had each day are
very welcome to subscribe and stay up-to-date on our dedicated security
research.

> A once-a-month release of patches? You're talking gigabytes.

Let's be serious for a second and take their first monthly patch schedule as an
example, 10-20 MB.

> And of course, you'll be wide open 'till the next month's patch is
> released, but that's no problem, in some people's minds. I'm sure that
> the "security companies" that have bought into Micro$oft's newest
> "innovation" will have something to sell you.

If you had been reading any media during the last month that even remotely
covered Microsofts announcement, you would also have noticed part of that sea
change we are talking about. In the past, Microsoft has discovered new
vulnerabilities, patched them and distributed them. This reactive approach is
not much unlike current antivirus vendors, and equally effective at stopping
future threats - how many AV products were able to stop just a single of the
latest few major outbreaks?

As opposed to this traditional reactive approach, Microsoft is now going
proactive and taking great efforts to protect Windows installations even without
patches installed. They will improve the perimeter (think personal firewall),
reduce the likelihood of successful IE exploits, implement new stack protections
and change their email clients. All this to go beyond patch management.

> In closing:
>
> "If it's good enough for PivX and Micro$oft, it's good enough for
> you!"

When you start misspelling PivX just to state a political belief, I'll buy you a
beer.

> - John

Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
http://pivx.com/larholm/ - Get our research, join our mailinglist




More information about the list mailing list