From: dave at immunitysec.com (Dave Aitel)
Subject: RE: Risk between discovery and patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, my point is this: There isn't anyone who can say for sure how
many people could have found and exploited the LSASS hole. For sure
geo can't say how many people there are. He thinks it's maybe a
handfull, but more than that, he feels he has to share that opinion
with the whole world on FD and additionally argue that it's ok to not
release patches for years based on that opinion.

But I don't think Immunity is one of the "few that can". I think there
are thousands of people who can do this sort of work - and plenty of
them are already doing it. It's crazy to think that when you find a
bug, that no one else has found that bug. There's no magical line
between for-profit researchers and hobby researchers. If anything,
hobbists (aka hackers) have more time and resources to put towards
vulnerability research and exploitation. The reason there aren't all
sorts of worms coming out for these things is that worms only ruin
bugs, they don't do anything cool with them. They're just the
punchline to the joke that is a dieing bug. There's no motivation
there, since with the right 0day you can own anything you want to own
as it is. Such as eEye or Microsoft or Immunity.

All geo was doing was adding to the noise (which I'll stop doing now).
And his conclusions are silly.

Dave Aitel
Immunity, Inc.
P.S. I didn't write either the ASN.1 or the LSASS bug up. My job is
currently to fill out forms and do paperwork. :>



Ben Nagy wrote:

| ... First, I think you should accept the compliment, above, that
| you are one of the "few who can", and not read it as someone
| underestimating your hacking skillZ.
|
| Second, I think that the real point of Geo's mail is not about
| producing PoC exploits once the vulnerability is released and the
| patch is available. The subthread was about the risk of MS leaving
| things unpatched for a long time. Geo's point (as I read it) was
| that very few people can take a non-trivial zero day vulnerability
| and produce a working exploit with no further clues - even if they
| can find it in the first place. Obviously something like a stack
| based overflow is easy, but witness the stupid "heap corruption
| isn't exploitable" flailing that we saw after ASN.1 - and that was
| _after_ the advisory pinpointed the issue.
|
| Well, I do have a point of my own on the subthread. In a perfect
| world, if someone tells MS about a zeroday and waits until the
| patch is released then that presents no greater risk to the Windows
| world than the risk of some malicious entity finding a new,
| independent zeroday and exploiting it. Mathematically, I suppose
| this assumes that the number of Windows bugs is infinite, but hey,
| close enough. ;)
|
| There are two problems with this - first it's not a perfect world,
| and we've seen that bug data leaks from time to time. Second, once
| a vulnerability is announced in something like RPC then people
| start focusing on it - after MS03-026 and 039 we have seen a rash
| of new RPC problems in a similar vein that were left unpatched for
| months. It is far from impossible that Bad People could have found
| and exploited them independantly within that timeframe. In a sense,
| once there are "hints" out there then the risk is significantly
| elevated - and that's why waiting six months to release a set of
| rolled-up patches is a questionable approach.
|
| ben
|
|
|
|
|
| _______________________________________________ Full-Disclosure -
| We believe in it. Charter:
| http://lists.netsys.com/full-disclosure-charter.html


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAfoHCzOrqAtg8JS8RAsXNAKDDbewIfUpTRMkxR7cipGiTc+wjtwCg5Fk8
jvjZqhF3ivOxLiqX7SazqRU=
=Bbhp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists