lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: ben at iagu.net (Ben Nagy) Subject: RE: Risk between discovery and patch (was: The new Microsoft math) > > | Geo wrote: > > | > > | I think you seriously underestimate the hacking skills of eeye, > > | there are very few who could turn the bugs they find into > full blow > > | root level exploits. > > | > > | Geo. > > Dave Aitel wrote: > > > > That's retarded. Immunity is releasing a universal, > repeatable, lsass > > exploit in about 5 minutes to our CANVAS customers, for > example, and > > we're sure everyone else is done as well. For bonus credit we're > > including a working ASN.1 exploit that owns IIS, Exchange, and > > everything else... [...] > This was Benjamin Meade: > > And how much effort do you have to put into finding new > staff? The guys at eEye are very good, and geo simply made > the point that there are few people that good. Immunity > happens to be one of them. Take it as a compliment, not an insult. I think that there is a big big difference between releasing an exploit for a stack based buffer overflow when the advisory _tells_ you what function to call, and in finding a bug where the exploitation is not so obvious and then successfully working out how to exploit it. We all remember "experts" claiming that ASN.1 was only a DoS and not exploitable and that eEye were overstating the case. Now you've got a fully working 'sploit. The RPC race condition in the last round of advisories couldn't be exploited by "experts", until it was combined with the memory leak....etc. First, I think you should accept the compliment, above, that you are one of the "few who can", and not read it as someone underestimating your hacking skillZ. Second, I think that the real point of Geo's mail is not about producing PoC exploits once the vulnerability is released and the patch is available. The subthread was about the risk of MS leaving things unpatched for a long time. Geo's point (as I read it) was that very few people can take a non-trivial zero day vulnerability and produce a working exploit with no further clues - even if they can find it in the first place. Obviously something like a stack based overflow is easy, but witness the stupid "heap corruption isn't exploitable" flailing that we saw after ASN.1 - and that was _after_ the advisory pinpointed the issue. Well, I do have a point of my own on the subthread. In a perfect world, if someone tells MS about a zeroday and waits until the patch is released then that presents no greater risk to the Windows world than the risk of some malicious entity finding a new, independent zeroday and exploiting it. Mathematically, I suppose this assumes that the number of Windows bugs is infinite, but hey, close enough. ;) There are two problems with this - first it's not a perfect world, and we've seen that bug data leaks from time to time. Second, once a vulnerability is announced in something like RPC then people start focusing on it - after MS03-026 and 039 we have seen a rash of new RPC problems in a similar vein that were left unpatched for months. It is far from impossible that Bad People could have found and exploited them independantly within that timeframe. In a sense, once there are "hints" out there then the risk is significantly elevated - and that's why waiting six months to release a set of rolled-up patches is a questionable approach. ben
Powered by blists - more mailing lists