Re: vulnerability overstatement

[Juha-Matti Laurio <juha-matti.laurio () netti fi>]

Yes, eight issues:
http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

Juha-Matti

Larry Seltzer [larry () larryseltzer com] kirjoitti: 
> BTW, the severity ratings in Microsoft's advance advisory seemed weird
> to me; almost everything was critical, even those platforms with real
> mitigations, so I asked them.
>
> The answer is that the Aurora bug isn't the only one being patched
> tomorrow. Eight vulnerabilities will be patched.
>
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer () ziffdavis com 
> http://blogs.pcmag.com/securitywatch/
>
>
> -----Original Message-----
> From: Charles Miller [mailto:cmiller () securityevaluators com] 
> Sent: Wednesday, January 20, 2010 5:39 PM
> To: Larry Seltzer
> Cc: funsec () linuxbox org
> Subject: Re: [funsec] vulnerability overstatement
>
> Yes, that exploit works 1/3 of the time on XP and practically not at  
> all once ASLR is thrown in.  But that doesn't mean exploits only work  
> 1/3 of the time with this vulnerability on XP.  Probably if someone  
> cared to they could make it work 99% of the time, and MS doesn't  
> refute this.  Likewise, an exploit doesn't try to defeat ALSR by  
> guessing addresses, that's stupid, as MS points out.  However, that  
> doesn't mean you can't code up an ASLR+DEP bypassing exploit for this  
> vuln.  And if I wrote one, I certainly wouldn't be giving it to MS for  
> testing!  :)  So researchers just want people to know that 'turning on  
> DEP' doesn't solve the problem, just makes it harder (or makes the bad  
> guy have to be smarter).
>
> But, Tavis does rock.
>
> Charlie
>
> On Jan 20, 2010, at 3:53 PM, Larry Seltzer wrote:
>
> > It bugs me that (in general) security researchers and vendors never  
> > give a full picture of mitigating factors and limitations when  
> > discussing an attack. They want users to perceive the threat to be  
> > as widespread as possible. Remember, those guys are just in it for  
> > the money too.
> >
> > Let's compare two very recent examples: VUPEN's DEP-bypassing  
> > exploit for the Aurora bug for one. What they said in public made it  
> > sound like the exploit just plain runs on platforms where it had  
> > been blocked by DEP, but I suspected a problem from the beginning:  
> > DEP bypass schemes generally rely on techniques that are defeated by  
> > ASLR, and IE runs with ASLR by default on Vista and Win7. Sure  
> > enough, Microsoft's response to these claims (and I believe them) is  
> > that ASLR greatly limits the utility of the DEP bypass:http:// 
> > blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being- 
> > bypassed.aspx. On Vista and Win7 the odds that it will execute are  
> > too remote to bother with. Even on XP, it only works 1 in 3 chances.
> >
> > Contrast that with Tavis Ormandy's disclosure yesterday of the VDM  
> > privilege elevation hack. He explained in full how it worked *and*  
> > a) that it doesn't work on 64-bit kernels and b) gave instructions  
> > on how to disable the 16-bit subsystems as a workaround. What a  
> > gentleman. It sounds like he really just wants to help.
> >
> > Security firms never tell you that you need to run as administrator  
> > to be vulnerable to something or that it won't execute reliably or  
> > that you had to choose to run it manually. They just want you to be  
> > afraid.
> >
> > Larry Seltzer
> > Contributing Editor, PC Magazine
> > larry_seltzer () ziffdavis com
> > http://blogs.pcmag.com/securitywatch/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.