[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Comments on: Browser patches yearn to be free

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Comments on: Browser patches yearn to be free
From: Robert Brockway <robert@xxxxxxxxxxxxxxxxx>
Date: Thu, 2 Oct 2008 19:46:51 -0400 (EDT)

On Sat, 27 Sep 2008, n3td3v wrote:

> Also, third party patches are the most danergous patches, so its
> better to know when the genuine patch is coming out.

Using the release date of a patch to verify the legitimacy of a patch is a 
bad idea.  It is too easily exploitable.

How about:

#1) Decide who you are prepared to accept patches from.  Conduct a risk 
assessment.  Chances are you'll only want vendor patches.

#2) Verify that the patches are properly signed.  If the vendor doesn't 
sign their patches then you may want to find a new vendor.

> Never accept third party patches, even if they are from ZERT, it sets
> a bad precedence.

While I agree this is true in most cases, it is possible to formulate this 
statement more generally.  See #1 above.

It isn't about only accepting patchs from an arbitrary group of people, it 
is about knowing who you are accepting patches from and being prepared to 
trust them.

Rob

-- 
I tried to change the world but they had a no-return policy

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [USN-650-1] cpio vulnerability
Next by Date: Re: [Full-disclosure] Vulnerability: Web Coat K9 Web Protection 3.0.27
Previous by thread: [Full-disclosure] [USN-650-1] cpio vulnerability
Next by thread: Re: [Full-disclosure] Full-Disclosure Digest, Vol 44, Issue 4
Index(es):
- Date
- Thread