[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <C0C2AA32.20C6A%ltr@isc.upenn.edu>
Date: Sat Jun 24 13:40:18 2006
From: ltr at isc.upenn.edu (David Taylor)
Subject: Amazon, MSN vulns and.. Yes, we know! Most
sites have vulnerabilities
Yes, I realize Milw0rm is simply posting exploits sent to them. I didn't
mean to make it sound like I was putting down Milw0rm, I am just concerned
about the number of 0day's coming out. But, this did make me think. Maybe
a site like this should take exploit submissions via a web based form where
the submitter has to sign an agreement stating something to the affect of:
If you are submitting an exploit for a vulnerability you discovered and did
not responsibly disclose to the vendor you are a meanie. If you did and
they chose not to address it you are a cool person.
I agree we need to see these things if they are going to be floating around.
I just wish people would be be more responsible when they discover a
vulnerability and develop an exploit for it. Try to let the vendor know
first.
On 6/23/06 10:47 PM, "Gadi Evron" <ge@...uxbox.org> wrote:
> On Fri, 23 Jun 2006, David Taylor wrote:
>> Not sure if I agree with the "Most sites don't fix them" comment but I agree
>> there are probably a lot of people that just don't get how serious the
>> report is about a vulnerability in their software.
>>
>> What I am worried about for the moment is milw0rm. That site releases an
>> average of 6 or 7 zero day exploits a day. It has increased the workload I
>> have letting our IT folks know about new threats. A lot of these
>> vulnerabilities are web/php based but pwn3d is pwn3d. I would imagine it
>> feeds a lot of the zone-h.org defacement entries. I don't see as many full
>> disclosure zero-day postings as I do on milw0rm.
>>
>> Sorry if this doesn't fit the entire subject matter of this post but just
>> had to throw it out there. It is getting hard to keep up with.
>
> What you say makes sense, but isn't that shooting the messenger?
>
> You are right about how dire the situation is. We have all been thinking
> hard on how to change it. I will wait for Steve Christey's reply as he
> knows how to explain these issues far better than me.
>
> Still, milw0rm seem like good people to me. They bring you the
> information. Without them (and places like the site I am biased about,
> securiteam.com, ex-FRSIRT, etc.) only the Bad Guys would know about these.
>
> Unrelated, we should start distinguishing again between full disclosure
> vulnerabilities and 0days (which can only be used while you don't know
> about them / you caught itw, but definitions vary - just too many
> "0days").
>
> Gadi.
>
>> On 6/23/06 9:30 PM, "Gadi Evron" <ge@...uxbox.org> wrote:
>>
>>> In this post I link to a blog entry by a guy (dcrab) who does some show
>>> and tell about Amazon and MSN. You gotta love Full Disclosure. Full
>>> Disclosure and why bugtraq is here is what I talk about. Just skip my text
>>> to the end for that information.
>>>
>>> So, yes, we know. Thanks. Yes, we know. Most sites have
>>> vulnerabilities. Most sites don't fix them. All you have to do is pick one
>>> arbitrarily and find them after a second to a few minutes of search.
>>>
>>> Recently I exchanged some words on exactly this subject with Scott Chasin
>>> (started bugtraq back in `93). This is why Full Disclosure was originally
>>> done and part of why bugtraq was originally created. People don't often
>>> remember why, and today attack the concept of Full Disclosure and say that
>>> it is irresponsible to disclose vulnerabilities that way.
>>>
>>> On some levels, I agree, but nothing is black and white even if I often
>>> think it is.
>>>
>>> Some companies take security seriously. Reporting to them works. Some
>>> companies (at BEST) ignore you. Back then most companies ignored. Back
>>> then Full Disclosure was THE silver bullet and THE solution. I recently
>>> had the chance to discuss this with Aleph1 as well. He who strongly
>>> believes in Full Disclosure agrees it's a different world now.
>>>
>>> Today, the same situation is repeated with new fields. Game companies,
>>> critical infrastructure (such as with SCADA systems), etc. who now
>>> discover the world of vulnerability research don't know how to deal with
>>> it. It is interesting to watch how the world of security repeats its
>>> history.
>>>
>>> When someone releases the information it is a fact that everyone goes and
>>> attacks the site or builds a POC. When someone provides only with the name
>>> of the site or skeleton details of vulnerabilities... everyone goes and
>>> looks for what they know is there.
>>>
>>> Back a few months ago a kiddie tried to sell an Excel vulnerability on
>>> FD. Now, I am not sure if this is completely related but a few months
>>> after that Microsoft released several patches for Excel. This month we
>>> have had Excel 0days.
>>>
>>> In the world of web security the situation is more extreme. Release the
>>> bug? Everyone will exploit it. Release the site name? Everyone will find a
>>> bug there TODAY.
>>>
>>> The point is, though, that these vulnerabilities have always been there,
>>> and they have been exploited before. We just didn't know about them. And
>>> people are surprised when corporations and sites are broken into and their
>>> personal data is stolen?
>>>
>>> Here is a blog post of a guy who got sick of reporting vulnerabilities,
>>> and after years of trying (look at the dates), finally made a small
>>> release about MSN and Amazon (although other interesting sites are listed
>>> there.
>>>
>>> http://blogs.hackerscenter.com/dcrab/?p=19
>>>
>>> Noam Rathaus recently wrote about a similar issue ("From Flaw to
>>> Exploit"):
>>> http://blogs.securiteam.com/index.php/archives/449
>>>
>>> I contacted both Amazon and MS, but this is out there and once it's out
>>> there - it's, well; out there. Full disclosure, y'know.
>>>
>>> Gadi Evron.
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> ==================================================
>> David Taylor //Sr. Information Security Specialist
>> University of Pennsylvania Information Security
>> Philadelphia PA USA
>> (215) 898-1236
>> http://www.upenn.edu/computing/security/
>> ==================================================
>>
>> Penn Information Security RSS feed
>> http://www.upenn.edu/computing/security/rss/rssfeed.xml
>> Add link to your favorite RSS reader
>>
>>
>>
==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================
Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader
Powered by blists - more mailing lists