Well of course. As soon as a patch is available, it can be used for
nefarious purposes. Then one asks, what if no one said a word, and a
patch was never released, would there have been a worm? In my opinion,
it’s better to have the patch than not. So what do you do? There will
always be human nature and other reasons systems are not kept
up-to-date. This thread originated with the question, does it make
sense to write software that monitors the registry for dubious access
patterns? Short of software vendors stopping releasing software with
errors (ha), how does the community of typical, non-expert human
computer end-users protect themselves?
Though I run no anti-virus software, I have never been infected with
anything until this worm (because I am prudent, I like to think). I’m
not your basic home user, but I still got bitten. I am running Internet
Connection Firewall, and it still got through. The XP machine that got
infected I intentionally had never updated for testing purposes. Okay,
you may say I get what I deserve in this case. But the point is there
may be any number of reasons why a worm gets to you before the patch
does, regardless of how “sure” you are you have all the necessary
precautions in place (like a certain firewall). I don’t think this
thread has adequately answered the question of whether adding more panes
of bullet-proof glass is useful or not; it’s a difficult question with
no clear answer. Antony, the OP, was discouraged from entering a red
queen’s race. Ultimately such a race is unwinable, but it might be
enough to be a hair ahead most of the time. As Michal Vodicka pointed
out, my chances of becoming infected may have been reduced had I been
running Antony’s proposed registry monitor.
Another way to pose the question is, how can the damage best be
mitigated in the situation where the black hats are more informed and/or
more up-to-date than the average user?
Chuck
----- Original Message -----
From: “Roddy, Mark”
To: “Windows System Software Developers Interest List”
Sent: Wednesday, August 20, 2003 9:04 PM
Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
zle))
> I’m not quite understanding how Microsoft is supposed to make patches
> available without publicising them. The black hats certainly have NT
systems
> downloading updates for them to examine for new exploits. So who are
we
> protecting here? The public from knowing how vulnerable they are?
>
> =====================
> Mark Roddy
> Hollis Technology Solutions
> www.hollistech.com
> xxxxx@hollistech.com
>
>
> -----Original Message-----
> From: Chuck Batson [mailto:xxxxx@cbatson.com]
> Sent: Wednesday, August 20, 2003 9:50 AM
> To: Windows System Software Developers Interest List
> Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
zle))
>
>
> Right. Whether specific instructions to take advantage of the expoit
or a
> patch for the exploit are made public, the result is basically the
same.
> Simply making it public knowledge opens the door for those with
malicious
> intent who realize human nature will provide a window of
opportunity – the
> time between the public announcement and the time individual users
apply the
> patch. I’m not advocating any particular position – there are valid
> arguments from both sides, and I personally don’t know what the “right
> answer” is. But I do find it interesting to ponder whether the worm
would
> have come about had there been no public announcement regarding the
exploit
> (including announcement of a patch).
>
> Chuck
>
> ----- Original Message -----
> From: “Andrey Kolishak”
> To: “Windows System Software Developers Interest List”
> Sent: Wednesday, August 20, 2003 6:52 PM
> Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
> zle))
>
>
> >
> > that is not fully correct. The history is following.
> > 1) lsd team has discovered the bug and inform/worked with microsoft
to
> > identify and fix it
> > 2) After microsoft issued patch, lsd published their credits for
> > discovering the problem, but they never published any details (at
> > least no more than mircosoft itself) about the bug and of course
never
> > published any exploits
> > 3) While Microsoft issued patch it urged everybody that bug is quite
> > serious and must be patched asap
> > 4) Using Microsoft patch some hackers made diff and identified fixed
> > code as well as discovered the bug itself
> > 5) some of those hackers wrote exploits and made them publicly
> > available, that is about after 2 weeks patch released
> > 6) Mircosoft urged everybody even more to install the patch
> > 7) in about 2-3 weeks blaster worm appeared
> >
> > So researchers who discovered the bug are not responsible for
blaster
> > worm. The case has showed even if you keep silence it doesn’t stop
> > exploits as soon as patch released.
> >
> >
> > Best regards,
> > Andrey mailto:xxxxx@sandy.ru
> >
> >
> >
> > >> How about a situation such as the most recent blaster worm? In
> that
> > CB> case,
> > >> Microsoft
> > >> found the exploit and made a fix available back in early JULY.
It
> was
> > >> inattentive customers
> > >> who failed to apply the patch and left their systems vulnerable.
> > CB> (Count me
> > >> as one of them
> > >> for a couple of my own systems
> >
> >
> > CB> In this case the exploit was published. Which raises an
> interesting
> > CB> question: if it hadn’t, would the virus author have known about
> the
> > CB> exploit and would a worm using this exploit have been written?
> >
> > CB> Chuck