lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: ben at iagu.net (Ben Nagy)
Subject: RE: Risk between discovery and patch (was: The new Microsoft math)

> > | Geo wrote:
> > |
> > | I think you seriously underestimate the hacking skills of eeye, 
> > | there are very few who could turn the bugs they find into 
> full blow  
> > | root level exploits.
> > |
> > | Geo.
>
> Dave Aitel wrote:
> >
> > That's retarded. Immunity is releasing a universal, 
> repeatable, lsass 
> > exploit in about 5 minutes to our CANVAS customers, for 
> example, and 
> > we're sure everyone else is done as well. For bonus credit we're 
> > including a working ASN.1 exploit that owns IIS, Exchange, and 
> > everything else...
[...]
> This was Benjamin Meade:
>
> And how much effort do you have to put into finding new 
> staff? The guys at eEye are very good, and geo simply made 
> the point that there are few people that good. Immunity 
> happens to be one of them. Take it as a compliment, not an insult.

I think that there is a big big difference between releasing an exploit for
a stack based buffer overflow when the advisory _tells_ you what function to
call, and in finding a bug where the exploitation is not so obvious and then
successfully working out how to exploit it.

We all remember "experts" claiming that ASN.1 was only a DoS and not
exploitable and that eEye were overstating the case. Now you've got a fully
working 'sploit.

The RPC race condition in the last round of advisories couldn't be exploited
by "experts", until it was combined with the memory leak....etc.

First, I think you should accept the compliment, above, that you are one of
the "few who can", and not read it as someone underestimating your hacking
skillZ.

Second, I think that the real point of Geo's mail is not about producing PoC
exploits once the vulnerability is released and the patch is available. The
subthread was about the risk of MS leaving things unpatched for a long time.
Geo's point (as I read it) was that very few people can take a non-trivial
zero day vulnerability and produce a working exploit with no further clues -
even if they can find it in the first place. Obviously something like a
stack based overflow is easy, but witness the stupid "heap corruption isn't
exploitable" flailing that we saw after ASN.1 - and that was _after_ the
advisory pinpointed the issue.

Well, I do have a point of my own on the subthread. In a perfect world, if
someone tells MS about a zeroday and waits until the patch is released then
that presents no greater risk to the Windows world than the risk of some
malicious entity finding a new, independent zeroday and exploiting it.
Mathematically, I suppose this assumes that the number of Windows bugs is
infinite, but hey, close enough. ;)

There are two problems with this - first it's not a perfect world, and we've
seen that bug data leaks from time to time. Second, once a vulnerability is
announced in something like RPC then people start focusing on it - after
MS03-026 and 039 we have seen a rash of new RPC problems in a similar vein
that were left unpatched for months. It is far from impossible that Bad
People could have found and exploited them independantly within that
timeframe. In a sense, once there are "hints" out there then the risk is
significantly elevated - and that's why waiting six months to release a set
of rolled-up patches is a questionable approach.

ben






Powered by blists - more mailing lists