lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat Jun 24 03:39:52 2006 From: ltr at isc.upenn.edu (David Taylor) Subject: Amazon, MSN vulns and.. Yes, we know! Most sites have vulnerabilities Not sure if I agree with the "Most sites don't fix them" comment but I agree there are probably a lot of people that just don't get how serious the report is about a vulnerability in their software. What I am worried about for the moment is milw0rm. That site releases an average of 6 or 7 zero day exploits a day. It has increased the workload I have letting our IT folks know about new threats. A lot of these vulnerabilities are web/php based but pwn3d is pwn3d. I would imagine it feeds a lot of the zone-h.org defacement entries. I don't see as many full disclosure zero-day postings as I do on milw0rm. Sorry if this doesn't fit the entire subject matter of this post but just had to throw it out there. It is getting hard to keep up with. On 6/23/06 9:30 PM, "Gadi Evron" <ge@...uxbox.org> wrote: > In this post I link to a blog entry by a guy (dcrab) who does some show > and tell about Amazon and MSN. You gotta love Full Disclosure. Full > Disclosure and why bugtraq is here is what I talk about. Just skip my text > to the end for that information. > > So, yes, we know. Thanks. Yes, we know. Most sites have > vulnerabilities. Most sites don't fix them. All you have to do is pick one > arbitrarily and find them after a second to a few minutes of search. > > Recently I exchanged some words on exactly this subject with Scott Chasin > (started bugtraq back in `93). This is why Full Disclosure was originally > done and part of why bugtraq was originally created. People don't often > remember why, and today attack the concept of Full Disclosure and say that > it is irresponsible to disclose vulnerabilities that way. > > On some levels, I agree, but nothing is black and white even if I often > think it is. > > Some companies take security seriously. Reporting to them works. Some > companies (at BEST) ignore you. Back then most companies ignored. Back > then Full Disclosure was THE silver bullet and THE solution. I recently > had the chance to discuss this with Aleph1 as well. He who strongly > believes in Full Disclosure agrees it's a different world now. > > Today, the same situation is repeated with new fields. Game companies, > critical infrastructure (such as with SCADA systems), etc. who now > discover the world of vulnerability research don't know how to deal with > it. It is interesting to watch how the world of security repeats its > history. > > When someone releases the information it is a fact that everyone goes and > attacks the site or builds a POC. When someone provides only with the name > of the site or skeleton details of vulnerabilities... everyone goes and > looks for what they know is there. > > Back a few months ago a kiddie tried to sell an Excel vulnerability on > FD. Now, I am not sure if this is completely related but a few months > after that Microsoft released several patches for Excel. This month we > have had Excel 0days. > > In the world of web security the situation is more extreme. Release the > bug? Everyone will exploit it. Release the site name? Everyone will find a > bug there TODAY. > > The point is, though, that these vulnerabilities have always been there, > and they have been exploited before. We just didn't know about them. And > people are surprised when corporations and sites are broken into and their > personal data is stolen? > > Here is a blog post of a guy who got sick of reporting vulnerabilities, > and after years of trying (look at the dates), finally made a small > release about MSN and Amazon (although other interesting sites are listed > there. > > http://blogs.hackerscenter.com/dcrab/?p=19 > > Noam Rathaus recently wrote about a similar issue ("From Flaw to > Exploit"): > http://blogs.securiteam.com/index.php/archives/449 > > I contacted both Amazon and MS, but this is out there and once it's out > there - it's, well; out there. Full disclosure, y'know. > > Gadi Evron. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ================================================== David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ ================================================== Penn Information Security RSS feed http://www.upenn.edu/computing/security/rss/rssfeed.xml Add link to your favorite RSS reader
Powered by blists - more mailing lists