Dailydave mailing list archives
SV: RE: Microsoft silently fixes security vulnerabilities
From: "Carl-Johan Bostorp" <carl-johan.bostorp () hps se>
Date: Thu, 20 Apr 2006 13:09:50 +0200
Hi Ari, Interesting distinction there between reactive and proactive. Perhaps this distinction also identifies two different needs for information? (You've obviously thought about it, but I'd like to elaborate on it) Exactly *who* are you protecting from *what* by withholding information? While it is true that removing the disclosure step will decrease the NUMBER of people knowing about and exploiting the vulnerability, there will still be people who know about it and my guess is that those are also the people who are able to cause the greatest impact. And it seems we share the belief that where patches aren't installed right away, can be the places where the biggest impact can be made. So, if you're not willing to inform just how badly the patch needs to be applied, maybe it won't be done and the consequence will be that the people who are capable of causing the most damage, still have the possibility of doing so. For some environments this might not be a big issue as they're not likely to attract that kind of attention from such people, but there are still quite some targets out there that are. Also, there's another aspect to this as some licenses (or other reasons) requires that even if you own the box and operate it in your network, you're not allowed to apply any patches to it. Security here needs to be dealt with differently, and one of the methods that can be used is using an IPS. Hopefully, those IPSs are so tightly set to begin with that they won't be affected by any of your fuzzer-found vulnerabilities, but what if there is a vulnerability that would pass? How would one know that without you releasing any information (or, of course, they themselves decompile the patch to see for themselves what's done). Not disclosing full information about your patches sets you up for a serious trust issue, and if organisations are to be REQUIRED to do decompile and manually inspect every patch you provide, they're not gonna be happy and I'm guessing chances are that most don't do it today and won't do it until some pen-tester comes along, exploits a bug and reminds them that it is *NOT* only a theoretical requirement, that the threat is real and the consequences can be grave. This discussion obviously opens up for how one would like things to be run in these organisations, but I think change there takes time and in the mean time I think it's important to adapt to what actually exists right now. /C-J -----Ursprungligt meddelande----- Från: Ari Takanen [mailto:art () codenomicon com] Skickat: den 19 april 2006 14:42 Till: dailydave () lists immunitysec com Kopia: Marc_Bevand () rapid7 com Ämne: [Dailydave] RE: Microsoft silently fixes security vulnerabilities Hello all, Are you sure you want to do risk assessment for all the thousands of security flaws that e.g. our robustness testing tools can find? Do you want to add filters and protections for all the millions of attack simulations that fuzzing tools can generate? Can you protect against e.g. all the attacks that PROTOS tools simulate? ... ---
Current thread:
- Microsoft silently fixes security vulnerabilities Marc_Bevand (Apr 15)
- <Possible follow-ups>
- RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 17)
- RE: Microsoft silently fixes security vulnerabilities Ari Takanen (Apr 19)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Nick DeBaggis (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 24)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Bryan Burns (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Pusscat (Apr 21)