Dailydave mailing list archives
Avant-Garde Dance and Microsoft Tuesday
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 26 Jun 2007 16:38:04 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I like to make up my own definitions for things sometimes. For example, I was hanging out with some professional modern dancers (if you just say "dancers" people assume you mean strippers) in Bern a couple weeks ago. My definition of avant-garde dance is "You're going to see someone's nipples". While this might not be the preferred definition for most people, I stick to it since it's a simple and easy metric even if "You're going to see someone's nipples and there will be some loud non-melodic electronica" is much more accurate. Likewise, I read with interest the weblog here: http://www.avertlabs.com/research/blog/index.php/2007/06/26/zero-day-threats-part-3-when-how-are-they-released/ In it, Craig Schmugar of Avert Labs (McAfee) posits that 0day means: The public availability of exploit information on the same day that a vulnerability is publicly disclosed. I know there are a lot of people's opinions on what "0day" means, but that's more off-base than my nipple definition for avant-garde dance. There are other problems with his analysis. He's testing the following theory: "Some concluded that many zero day threats are strategically released very close to Patch Tuesday as a means to maximize the Window of Vulnerability". But somehow he thinks that you would detect an exploit immediately after it was being widely used, and that for some reason it's valuable to include every potential Microsoft vulnerability in the survey, as opposed to just remotely exploitable IE bugs. Everything else in the blog post is a confused muddle. Certainly someone could do some real research here with the numbers, but this isn't it. If you want to maximize the use of an 0day, you use it selectively on targets for a long time, then you go nuts with it right before you think it will be killed or right after it's been killed. Even then, it will probably take the AV/IDS community a week to notice it. So my expected curve has a peak about 7 days after Microsoft Tuesday, given that I think the bug will die next month and I'm likely to release it on Patch Weds. If people are widely using 0day right before MS Tuesday, this would indicate they've owned Microsoft and know when bugs are about to be patched. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGgXkqB8JNm+PA+iURAoADAKCePHCUwa5bqrsl84NiJpQBK98ioACgwAqp 3xL2E/b4/Y7e/Sp8bJzxk88= =xnJT -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Avant-Garde Dance and Microsoft Tuesday Dave Aitel (Jun 26)