funsec mailing list archives
Re: vulnerability overstatement
From: "Thomas Raef" <TRaef () wewatchyourwebsite com>
Date: Wed, 20 Jan 2010 16:18:51 -0600
FUD: Fear, Uncertainty & Doubt (unless you're a hacker then FUD is Fully UnDetectable) I admit that in my early days of marketing security services I thought I would rely on the emotional buying factor of fear, but quickly realized that FUD is a dud and you can't scare someone into buying. There is a company that offers website vulnerability scanning that still tries to operate on FUD and they're having a hard time convincing people to buy their services but every time I see something from them, it's all about FUD. For those of you wordsmiths, my last name spelled backwards is fear. J Thomas J. Raef e-Based Security <http://www.ebasedsecurity.com/> "You're either hardened or you're hacked!" We Watch Your Website <http://www.wewatchyourwebsite.com/> "We Watch Your Website - so you don't have to." From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer Sent: Wednesday, January 20, 2010 3:53 PM To: funsec () linuxbox org Subject: [funsec] vulnerability overstatement It bugs me that (in general) security researchers and vendors never give a full picture of mitigating factors and limitations when discussing an attack. They want users to perceive the threat to be as widespread as possible. Remember, those guys are just in it for the money too. Let's compare two very recent examples: VUPEN's DEP-bypassing exploit for the Aurora bug for one. What they said in public made it sound like the exploit just plain runs on platforms where it had been blocked by DEP, but I suspected a problem from the beginning: DEP bypass schemes generally rely on techniques that are defeated by ASLR, and IE runs with ASLR by default on Vista and Win7. Sure enough, Microsoft's response to these claims (and I believe them) is that ASLR greatly limits the utility of the DEP bypass: http://blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being-byp assed.aspx. On Vista and Win7 <http://blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being-by passed.aspx.%20On%20Vista%20and%20Win7> the odds that it will execute are too remote to bother with. Even on XP, it only works 1 in 3 chances. Contrast that with Tavis Ormandy's disclosure yesterday of the VDM privilege elevation hack. He explained in full how it worked *and* a) that it doesn't work on 64-bit kernels and b) gave instructions on how to disable the 16-bit subsystems as a workaround. What a gentleman. It sounds like he really just wants to help. Security firms never tell you that you need to run as administrator to be vulnerable to something or that it won't execute reliably or that you had to choose to run it manually. They just want you to be afraid. Larry Seltzer Contributing Editor, PC Magazine larry_seltzer () ziffdavis com http://blogs.pcmag.com/securitywatch/
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Charles Miller (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Valdis . Kletnieks (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Paul Ferguson (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Paul Ferguson (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Charles Miller (Jan 20)
- <Possible follow-ups>
- Re: vulnerability overstatement Thomas Raef (Jan 20)
- Re: vulnerability overstatement Juha-Matti Laurio (Jan 21)
- Re: vulnerability overstatement Larry Seltzer (Jan 21)
- Re: vulnerability overstatement Juha-Matti Laurio (Jan 21)