Avant-Garde Dance and Microsoft Tuesday

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I like to make up my own definitions for things sometimes. For
example, I was hanging out with some professional modern dancers (if
you just say "dancers" people assume you mean strippers) in Bern a
couple weeks ago. My definition of avant-garde dance is "You're going
to see someone's nipples". While this might not be the preferred
definition for most people, I stick to it since it's a simple and easy
metric even if "You're going to see someone's nipples and there will
be some loud non-melodic electronica" is much more accurate.

Likewise, I read with interest the weblog here:
http://www.avertlabs.com/research/blog/index.php/2007/06/26/zero-day-threats-part-3-when-how-are-they-released/

In it, Craig Schmugar of Avert Labs (McAfee) posits that 0day means:
The public availability of exploit information on the same day that a
vulnerability is publicly disclosed.

I know there are a lot of people's opinions on what "0day" means, but
that's more off-base than my nipple definition for avant-garde dance.

There are other problems with his analysis. He's testing the following
theory: "Some concluded that many zero day threats are strategically
released very close to Patch Tuesday as a means to maximize the Window
of Vulnerability". But somehow he thinks that you would detect an
exploit immediately after it was being widely used, and that for some
reason it's valuable to include every potential Microsoft
vulnerability in the survey, as opposed to just remotely exploitable
IE bugs.

Everything else in the blog post is a confused muddle. Certainly
someone could do some real research here with the numbers, but this
isn't it.

If you want to maximize the use of an 0day, you use it selectively on
targets for a long time, then you go nuts with it right before you
think it will be killed or right after it's been killed. Even then, it
will probably take the AV/IDS community a week to notice it. So my
expected curve has a peak about 7 days after Microsoft Tuesday, given
that I think the bug will die next month and I'm likely to release it
on Patch Weds. If people are widely using 0day right before MS
Tuesday, this would indicate they've owned Microsoft and know when
bugs are about to be patched.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGgXkqB8JNm+PA+iURAoADAKCePHCUwa5bqrsl84NiJpQBK98ioACgwAqp
3xL2E/b4/Y7e/Sp8bJzxk88=
=xnJT
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave