lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJB2Jzt=VT076Vt_14KRyU9Ur3rT0y0L0LN6pw0cxpubVr0evw@mail.gmail.com>
Date: Sat, 3 Sep 2011 03:03:13 +0200
From: Mario Vilas <mvilas@...il.com>
To: Valdis.Kletnieks@...edu
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Cybsec Advisory 2011 0901 Windows Script Host
 DLL Hijacking

I disagree. If this so called "vulnerability" had any added value in terms
of social engineering, it would actually make sense to report it. Social
engineering isn't "bad", I really don't care how "leet" it is. My claim is
simpler: this advisory makes no sense at all, because it replaces an easy
way of exploitation for a hard way of exploitation, so its added value is
actually *negative* for the attacker.

Most likely whoever found this is new in the infosec world and never stopped
to consider this details - he/she just blindly repeated what the dll
injection crowd was doing and posted whatever results were found, without
understanding really well what was going on.

And THAT is the state of infosec today. People who report stuff for the sake
of reporting, without really understanding how things work or why.

On Fri, Sep 2, 2011 at 11:46 PM, <Valdis.Kletnieks@...edu> wrote:

> On Fri, 02 Sep 2011 20:55:35 -0000, "Thor (Hammer of God)" said:
>
> > LOL.  "Warning, if you get the user to execute code, then it is possible
> to
> > get the user to execute code!!  All you have to do is get files on their
> > system, and then get them to execute those files!   Note that once you
> get the
> > user to execute the code, it will actually run in the context of that
> user!!
> > This is remote code execution vulnerability!"
>
> > Welcome to today's Infosec!
>
> The sad part is that this is the future of infosec as well.  Microsoft got
> the
> security religion a few years back, and even I have to admit their current
> stuff
> isn't that bad at all.  The various Linux distros are (slowly) getting
> their
> acts together, and maybe even Apple and Adobe will see the light sometime
> reasonably soon. Yes, there will still be software failures - but once the
> effort
> of finding a new 0-day reaches a certain point, the economics change....
>
> And once that happens, social engineering will become an even bigger part
> of
> both the attack and defense sides of infosec.  For the black hats, the
> cost/
> benefit of looking for effective 0-day holes will continue to drop, while
> the
> cost/benefit of phishing a user will remain steady - so that's a push
> towards
> more social engineering. Why go to the effort of spending 3 months finding
> a
> browser bug that allows you to push malware to the victim's machine, when
> you
> can just spend 45 minutes creating a "Your machine is infected - click here
> to
> fix it" pop-up that will catch 80% of the people?
>
> Meanwhile, as the software gets more hardened and patching is more
> automated,
> the white hats will find a bigger percent of their time is spent defending
> their systems from attacks triggered by their own users.  Because the
> failure
> rate of people's brains is already about 4.7*10**9 times as high as the
> software failure rate, and the ratio is only getting worse - software is
> improving, people aren't.
>
> Prediction 1: 10 years from now, organized crime will be hiring cognitive
> psychologists to help design more effective phish the way they currently
> hire
> programmers to write better spambots.
>
> Prediction 2: It ain't gonna get better till the average IQ starts going up
> faster
> than the software improves.
>
>


-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ