Full Disclosure mailing list archives
Re: RE: Risk between discovery and patch
From: Dave Aitel <dave () immunitysec com>
Date: Thu, 15 Apr 2004 08:36:18 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, my point is this: There isn't anyone who can say for sure how many people could have found and exploited the LSASS hole. For sure geo can't say how many people there are. He thinks it's maybe a handfull, but more than that, he feels he has to share that opinion with the whole world on FD and additionally argue that it's ok to not release patches for years based on that opinion. But I don't think Immunity is one of the "few that can". I think there are thousands of people who can do this sort of work - and plenty of them are already doing it. It's crazy to think that when you find a bug, that no one else has found that bug. There's no magical line between for-profit researchers and hobby researchers. If anything, hobbists (aka hackers) have more time and resources to put towards vulnerability research and exploitation. The reason there aren't all sorts of worms coming out for these things is that worms only ruin bugs, they don't do anything cool with them. They're just the punchline to the joke that is a dieing bug. There's no motivation there, since with the right 0day you can own anything you want to own as it is. Such as eEye or Microsoft or Immunity. All geo was doing was adding to the noise (which I'll stop doing now). And his conclusions are silly. Dave Aitel Immunity, Inc. P.S. I didn't write either the ASN.1 or the LSASS bug up. My job is currently to fill out forms and do paperwork. :> Ben Nagy wrote: | ... First, I think you should accept the compliment, above, that | you are one of the "few who can", and not read it as someone | underestimating your hacking skillZ. | | Second, I think that the real point of Geo's mail is not about | producing PoC exploits once the vulnerability is released and the | patch is available. The subthread was about the risk of MS leaving | things unpatched for a long time. Geo's point (as I read it) was | that very few people can take a non-trivial zero day vulnerability | and produce a working exploit with no further clues - even if they | can find it in the first place. Obviously something like a stack | based overflow is easy, but witness the stupid "heap corruption | isn't exploitable" flailing that we saw after ASN.1 - and that was | _after_ the advisory pinpointed the issue. | | Well, I do have a point of my own on the subthread. In a perfect | world, if someone tells MS about a zeroday and waits until the | patch is released then that presents no greater risk to the Windows | world than the risk of some malicious entity finding a new, | independent zeroday and exploiting it. Mathematically, I suppose | this assumes that the number of Windows bugs is infinite, but hey, | close enough. ;) | | There are two problems with this - first it's not a perfect world, | and we've seen that bug data leaks from time to time. Second, once | a vulnerability is announced in something like RPC then people | start focusing on it - after MS03-026 and 039 we have seen a rash | of new RPC problems in a similar vein that were left unpatched for | months. It is far from impossible that Bad People could have found | and exploited them independantly within that timeframe. In a sense, | once there are "hints" out there then the risk is significantly | elevated - and that's why waiting six months to release a set of | rolled-up patches is a questionable approach. | | ben | | | | | | _______________________________________________ Full-Disclosure - | We believe in it. Charter: | http://lists.netsys.com/full-disclosure-charter.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAfoHCzOrqAtg8JS8RAsXNAKDDbewIfUpTRMkxR7cipGiTc+wjtwCg5Fk8 jvjZqhF3ivOxLiqX7SazqRU= =Bbhp -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Burnes, James (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Geoincidents (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Dave Aitel (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Benjamin Meade (Apr 14)
- RE: Risk between discovery and patch (was: The new Microsoft math) Ben Nagy (Apr 15)
- Re: RE: Risk between discovery and patch Dave Aitel (Apr 15)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Dave Aitel (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Geoincidents (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Geoincidents (Apr 14)
- <Possible follow-ups>
- RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Steven M. Christey (Apr 15)