Full Disclosure mailing list archives
Re: Anti-MS drivel
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Tue, 20 Jan 2004 22:02:43 +0100 (CET)
On Sun, 18 Jan 2004, yossarian wrote:
I checked the flaws reported the last week - and yes I read many many lists, some 250 mails per day - and the only thing getting close to software used in bigger environments is this BEA thingie 5 days ago /.../
Yup, security research focuses on home computing, but this does not mean the quality of enterprise software is any better; quite the opposite. I had a chance to audit a bunch of big enterprise applications in several places I've worked in, and it is very uncommon to find a solution that will not fall apart if you mess with its proprietary protocols and interfaces - often exposing gross trust model design problems. These applications usually undergo much more rigorous QA, and this elliminates most of basic reliability issues that occur in reasonably "normal" working conditions - but the most common type of QA does almost nothing to find problems that will surface only when the application poked with a stick by a sufficiently skilled attacker. Old school development and quality assurance practices, and developers with mindsets locked on the network security it used to be in late '80s or so, are far more prevalent in these environments. And it really really shows. The relatively low number of vulnerabilities found in those products can be contributed to a couple of basic factors: 1) Average Joe Hacker does not have access to prohibitively expensive or highly specialized systems used in high-profile corporations. He does have his Windows and Linux partition, though, maybe even a Solaris box somewhere, and can sometimes get ahold of Oracle. Enterprise applications for VMS or OS/400, doubtly so. This holds true both for amateur researchers, and for many "vulnerability research" shops, too - they simply do not have the budget (or incentive) to do it. 2) Joseph Hacker who happens to be working in a corporation that has such a platform is usually limited in how far he can experiment with it while playing it safe, especially if it is a production system "ever since", and creating a dedicated testbed with appropriate data feeds would be overly complex or time-consuming. 3) Even if Joseph finds a flaw, he is expected to work with the vendor to protect his company's assets, instead of disclosing a problem (otherwise, a swift retaliation from both the vendor and his now ex-employer would ensue). He does not have the freedom Joe enjoys. Moreover, sometimes vendors are extremely non-cooperative, and there is simply no other choice for this platform that could be used as a replacement without major transition expenses and problems. 4) The public interest in this type of vulnerabilities is marginal. Although some solutions may be popular in corporations, the systems usually do not face the Internet, and are seldom mentioned in the media. As such, there is very little incentive to disclose this type of stuff, as only a couple of folks are going to realize what you are talking about to start with. Just my $.02. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-01-20 21:31 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Anti-MS drivel James Patterson Wicks (Jan 17)
- RE: Anti-MS drivel Scott Taylor (Jan 17)
- Re: Anti-MS drivel yossarian (Jan 17)
- RE: [inbox] Re: Anti-MS drivel Curt Purdy (Jan 18)
- RE: [inbox] Re: Anti-MS drivel joe (Jan 18)
- RE: [inbox] Re: Anti-MS drivel joe (Jan 18)
- Re: [inbox] Re: Anti-MS drivel Valdis . Kletnieks (Jan 18)
- Re: Anti-MS drivel yossarian (Jan 17)
- Re: Anti-MS drivel Ron DuFresne (Jan 20)
- Re: Anti-MS drivel Michal Zalewski (Jan 20)
- RE: Old school applications on the Internet (was Anti-MS drivel) Bill Royds (Jan 20)
- Re: Old school applications on the Internet(was Anti-MS drivel) Gregh (Jan 21)
- RE: Old school applications on the Internet(was Anti-MS drivel) Steve Wray (Jan 21)
- Re: Old school applications on the Internet(was Anti-MS drivel) Valdis . Kletnieks (Jan 22)
- RE: Old school applications on the Internet(was Anti-MS drivel) Bill Royds (Jan 23)
- RE: Anti-MS drivel Scott Taylor (Jan 17)
- Re: Old school applications on the Internet (was Anti-MS drivel) Nico Golde (Jan 22)
- Re: Anti-MS drivel yossarian (Jan 20)
- Re: Anti-MS drivel Lee (Jan 18)