lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4456765C.4030104@sdf.lonestar.org>
Date: Mon May  1 21:58:17 2006
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: MSIE (mshtml.dll) OBJECT tag vulnerability

Tim Bilbro wrote:

>I don't think it is inevitable. Think about browser DoS vulnerabilties.
>An stealth blackhat wouldn't bother with that type of exploit. It's
>brute force, messy, doesn't get you root and it's trackable to some
>degree. But, lesser hackers will immediately adopt exploits that just
>crash the browser for example. So, by publishing that type of exploit
>and labeling it crtical you create a new requirement for mitigation that
>wouldn't otherwise be there. 
>  
>
If a script kiddie wants to DoS a browser, there are very easy ways to 
do so without resorting to arcane tricks.  Resource consumption/misuse 
has always been an easy game to master.  I think that your example here 
is a very very poor one.  It's like saying that the fork bomb is a well 
guarded secret.

It's inevitable.  If it's a known hole anywhere, it's a matter of time 
until it gets out. 

The issues that count, the ones that both black hats and script kiddies 
care about that get them access, they will always follow the pattern I 
laid out because it's beneficial to the skilled black hats to do it that 
way. 

>Some have suggested a 'Vulnerability Escrow' A third party that tracks
>and holds vulnerability discoveries and works with the vendor. I think
>that is an idea worth exploring. 
>  
>
I think it's a horrible idea that only creates people with a vested 
interest in getting paid to hold vulnerabilities in secret.  There's no 
way to enforce its usage and as such it will never result in a lack of 
disclosure.  The "escrow" services will become targets of attacks and 
eventually, because greed always wins, this new flashy database of 
0-days will be sold off to the highest bidder.

I think it's a monumentally bad idea to collect all vulnerability data 
necessary for the company to fix their product in one place and leave it 
in the hands of people who only have a monetary goal in their holding of 
that data.

             -bkfsec

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ