[funsec] Microsoft Makes Concessions to Security Software Makers
Dude VanWinkle
dudevanwinkle at gmail.com
Sat Oct 14 20:19:51 CDT 2006
On 10/14/06, Nick FitzGerald <nick at virus-l.demon.co.uk> wrote:
> Dude VanWinkle wrote:
>
> > I would like to see a an exploit for this pre-release, which would
> > help answer an interesting question: If a working exploit was found in
> > the wild, would MS delay the ship date or just release a patch as soon
> > as they coded it.
>
> It would depend when the exploit was released relative to the code
> going gold/RTM. If "too close" to RTM (and there are far too many
> factors to consider in a hypothetical to give any idea of what that
> might be), or after it but before "public release", then you can bet
> that the security response folk would be working to ensure that it was
> either patched for the next Patch Tuesday (if it affected "enough" of
> the beta/RC releases) or at least to be ready for when the code was to
> be publicly released (November for corporate licensing programs,
> right?), so the first time Vista goes to WU (first time it goes online
> during/after install, yes?) it would pick it up.
As I am sure you know by now Vista already has several security
hotfixes that are applied, but usually they bundle those fixes into
the next build, but what I was referring to was the statement by
Joanna and zdnet:
http://www.networkworld.com/news/2006/080406-microsoft-blue-pill.html?page=2
In her presentation, Rutkowska suggested a few ways Microsoft might
address the code-signing bypass issue, and Microsoft intends to review
them. However, Microsoft probably won't hold up shipping Vista if it
can't resolve the issue in time.
---------------
I seem to remember Joanna using more definite terms when referring to
a fix for preventing the processor virtualization "flaw" from being
exploited, but my google skills are failing me tonight. Also that
"fix" may have involved compromising their ability to deploy virtual
instances that are indistinguishable from the real deal.
Oops, I just "patched" the point I was trying to make into nonexistence. D'oh!
-JP<who guesses if you talk to yourself long enough, you CAN answer
all your questions>
More information about the funsec
mailing list