[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <C0C21D55.20C42%ltr@isc.upenn.edu>
Date: Sat Jun 24 03:39:52 2006
From: ltr at isc.upenn.edu (David Taylor)
Subject: Amazon, MSN vulns and.. Yes, we know! Most
sites have vulnerabilities
Not sure if I agree with the "Most sites don't fix them" comment but I agree
there are probably a lot of people that just don't get how serious the
report is about a vulnerability in their software.
What I am worried about for the moment is milw0rm. That site releases an
average of 6 or 7 zero day exploits a day. It has increased the workload I
have letting our IT folks know about new threats. A lot of these
vulnerabilities are web/php based but pwn3d is pwn3d. I would imagine it
feeds a lot of the zone-h.org defacement entries. I don't see as many full
disclosure zero-day postings as I do on milw0rm.
Sorry if this doesn't fit the entire subject matter of this post but just
had to throw it out there. It is getting hard to keep up with.
On 6/23/06 9:30 PM, "Gadi Evron" <ge@...uxbox.org> wrote:
> In this post I link to a blog entry by a guy (dcrab) who does some show
> and tell about Amazon and MSN. You gotta love Full Disclosure. Full
> Disclosure and why bugtraq is here is what I talk about. Just skip my text
> to the end for that information.
>
> So, yes, we know. Thanks. Yes, we know. Most sites have
> vulnerabilities. Most sites don't fix them. All you have to do is pick one
> arbitrarily and find them after a second to a few minutes of search.
>
> Recently I exchanged some words on exactly this subject with Scott Chasin
> (started bugtraq back in `93). This is why Full Disclosure was originally
> done and part of why bugtraq was originally created. People don't often
> remember why, and today attack the concept of Full Disclosure and say that
> it is irresponsible to disclose vulnerabilities that way.
>
> On some levels, I agree, but nothing is black and white even if I often
> think it is.
>
> Some companies take security seriously. Reporting to them works. Some
> companies (at BEST) ignore you. Back then most companies ignored. Back
> then Full Disclosure was THE silver bullet and THE solution. I recently
> had the chance to discuss this with Aleph1 as well. He who strongly
> believes in Full Disclosure agrees it's a different world now.
>
> Today, the same situation is repeated with new fields. Game companies,
> critical infrastructure (such as with SCADA systems), etc. who now
> discover the world of vulnerability research don't know how to deal with
> it. It is interesting to watch how the world of security repeats its
> history.
>
> When someone releases the information it is a fact that everyone goes and
> attacks the site or builds a POC. When someone provides only with the name
> of the site or skeleton details of vulnerabilities... everyone goes and
> looks for what they know is there.
>
> Back a few months ago a kiddie tried to sell an Excel vulnerability on
> FD. Now, I am not sure if this is completely related but a few months
> after that Microsoft released several patches for Excel. This month we
> have had Excel 0days.
>
> In the world of web security the situation is more extreme. Release the
> bug? Everyone will exploit it. Release the site name? Everyone will find a
> bug there TODAY.
>
> The point is, though, that these vulnerabilities have always been there,
> and they have been exploited before. We just didn't know about them. And
> people are surprised when corporations and sites are broken into and their
> personal data is stolen?
>
> Here is a blog post of a guy who got sick of reporting vulnerabilities,
> and after years of trying (look at the dates), finally made a small
> release about MSN and Amazon (although other interesting sites are listed
> there.
>
> http://blogs.hackerscenter.com/dcrab/?p=19
>
> Noam Rathaus recently wrote about a similar issue ("From Flaw to
> Exploit"):
> http://blogs.securiteam.com/index.php/archives/449
>
> I contacted both Amazon and MS, but this is out there and once it's out
> there - it's, well; out there. Full disclosure, y'know.
>
> Gadi Evron.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================
Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader
Powered by blists - more mailing lists