lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00fa01c422df$dfc1fbe0$231a90d8@NTAUTHORITY>
From: geoincidents at getinfo.org (Geoincidents)
Subject: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011

> I can see that you don't know anything about finding vulnerabilities or
> writing exploits. What you just said is "Hey d3wd, there's like a
> vulnerability in windows man, and h3h see if you can find it d00d!".

Isn't that exactly the assumption that eeye proceeds under?

The original statement to which I responded suggested "what if someone
exploited ASN.1 before microsoft had a patch ready". I then suggested that
there are damn few people capable of finding and exploiting such without
help from folks like the guys at eeye (that was not meant as a cut to
Immunity, Inc. nor was I talking specifically about ASN.1). So I feel it's
perfectly proper to point out that the eeye URL is a list of exploitable
code that vendors have not patched yet and which eeye has not posted details
(ie no help from eeye), it was actually a much more impressive list a month
ago.

Where are the exploits for these from the worm/virus writers, if they and
the other exploit coders were so skilled Microsoft wouldn't be taking 4 - 6
months to patch this stuff. (I don't know Dave so this really isn't a
reflection on his personal skill set, and I'm sure he's a responsible
discloser so MS doesn't see him as a threat) If hackers could read the eeye
list then find and exploit those flaws without further help from eeye then
Microsoft would be forced to deal with these issues much faster. How long
was this last batch of exploits posted on the eeye site before they were
patched the other day?

The fact that isn't happening even though eeye has posted their list should
be sufficient proof that the skill set required is beyond most. Perhaps Dave
is capable but doesn't feel it's worth the effort until the details are
released, I could believe that, but the fact that none of the worm writers
are doing it when clearly it's worth far more to them prior to a patch
release is very telling.

To put it another way, imagine the woody a worm writer would get from
creating a worm based on a universal windows exploit like lsass or asn.1
where the worm grabbed the windows CD key like keyfinder does
http://www.magicaljellybean.com/keyfinder.shtml then included the CD keys
from the last 100 machines it infected in an email sent to everyone in the
address book. Clearly the motivation is there, the flaws are there, it's the
skill set that is missing.

Geo.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ