funsec mailing list archives
Re: vulnerability overstatement
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Thu, 21 Jan 2010 22:07:53 +0200 (EET)
Yes, eight issues: http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx Juha-Matti Larry Seltzer [larry () larryseltzer com] kirjoitti:
BTW, the severity ratings in Microsoft's advance advisory seemed weird to me; almost everything was critical, even those platforms with real mitigations, so I asked them. The answer is that the Aurora bug isn't the only one being patched tomorrow. Eight vulnerabilities will be patched. Larry Seltzer Contributing Editor, PC Magazine larry_seltzer () ziffdavis com http://blogs.pcmag.com/securitywatch/ -----Original Message----- From: Charles Miller [mailto:cmiller () securityevaluators com] Sent: Wednesday, January 20, 2010 5:39 PM To: Larry Seltzer Cc: funsec () linuxbox org Subject: Re: [funsec] vulnerability overstatement Yes, that exploit works 1/3 of the time on XP and practically not at all once ASLR is thrown in. But that doesn't mean exploits only work 1/3 of the time with this vulnerability on XP. Probably if someone cared to they could make it work 99% of the time, and MS doesn't refute this. Likewise, an exploit doesn't try to defeat ALSR by guessing addresses, that's stupid, as MS points out. However, that doesn't mean you can't code up an ASLR+DEP bypassing exploit for this vuln. And if I wrote one, I certainly wouldn't be giving it to MS for testing! :) So researchers just want people to know that 'turning on DEP' doesn't solve the problem, just makes it harder (or makes the bad guy have to be smarter). But, Tavis does rock. Charlie On Jan 20, 2010, at 3:53 PM, Larry Seltzer wrote:It bugs me that (in general) security researchers and vendors never give a full picture of mitigating factors and limitations when discussing an attack. They want users to perceive the threat to be as widespread as possible. Remember, those guys are just in it for the money too. Let's compare two very recent examples: VUPEN's DEP-bypassing exploit for the Aurora bug for one. What they said in public made it sound like the exploit just plain runs on platforms where it had been blocked by DEP, but I suspected a problem from the beginning: DEP bypass schemes generally rely on techniques that are defeated by ASLR, and IE runs with ASLR by default on Vista and Win7. Sure enough, Microsoft's response to these claims (and I believe them) is that ASLR greatly limits the utility of the DEP bypass:http:// blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being- bypassed.aspx. On Vista and Win7 the odds that it will execute are too remote to bother with. Even on XP, it only works 1 in 3 chances. Contrast that with Tavis Ormandy's disclosure yesterday of the VDM privilege elevation hack. He explained in full how it worked *and* a) that it doesn't work on 64-bit kernels and b) gave instructions on how to disable the 16-bit subsystems as a workaround. What a gentleman. It sounds like he really just wants to help. Security firms never tell you that you need to run as administrator to be vulnerable to something or that it won't execute reliably or that you had to choose to run it manually. They just want you to be afraid. Larry Seltzer Contributing Editor, PC Magazine larry_seltzer () ziffdavis com http://blogs.pcmag.com/securitywatch/
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: vulnerability overstatement, (continued)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Valdis . Kletnieks (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Paul Ferguson (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Paul Ferguson (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 21)