lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0610301309220.23772-100000@linuxbox.org>
Date: Mon, 30 Oct 2006 13:22:14 -0600 (CST)
From: Gadi Evron <ge@...uxbox.org>
To: jay.tomas@...osecguru.com
Cc: security@...ichsoft.com, bugtraq@...urityfocus.com,
	full-disclosure@...ts.grok.org.uk
Subject: unreliable vulnerability reports en-masee [was:Re: vulnerability in
 Symantec products]

On Fri, 27 Oct 2006 jay.tomas@...osecguru.com wrote:
> Ummm are you for real? You are posting this as a vulnerability?
> 
> Chances are if they have trojaned or gained priviledged access to your workstation it shouldnt be
> to much trouble to alter config of firewall or skirt outbound connectivity.
> 
> Unwise default config, perhaps. Vulnerability ... naah.

Jay, a few months ago someone published a DoS vulnerability that is
triggered when "you run out of hard disk space". Pfft.

Nothing really surprises me anymore. The quality of advisories and QA
people do seems to be dropping, especially when it comes to File
Inclusions. The level of false positives posted in the last couple of
weeks is staggering.

Folks use Google Code Search to find vulns, and don't notice they are
fixed 3 lines above the "bug" and that three lines below, there is
another one.

Last week, one of these File Inclusion vulns worked only if you disabled
two security functions that work by default...

Str0ke from milw0rm (= one of the only places, with SecuriTeam, where you
can find a free and public exploit code, so they go over all of these much
like we at SecuriTeam do).
Str0ke recently spoke of how this is becoming an issue, and how all these
exploits have to be verified on systems non of us have, while little to no
research went into them to begin with.

Up to this day, vulnerabilities and exploits would be researched to a
level, and released AS-IS. This is fast becoming impracticle.

Noam, at SecuriTeam wrote a blog entry on much the same, with code samples
(that go on in the comments) called "5 minutes of glory".

http://blogs.securiteam.com/index.php/archives/700

If the S/N ratio of ADVISORIES rather than ML traffic becomes even lower
due to unreliable submissions, our jobs will indeed become much, much harder.

	Gadi.

> 
> Jay

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ