Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

BSIMM update (informIT)

From: coley at linus.mitre.org (Steven M. Christey)
Date: Thu, 4 Feb 2010 14:23:20 -0500 (EST)

On Thu, 4 Feb 2010, Jim Manico wrote:


These companies are examples of recent "epic security failure". Probably 
the most financially damaging infosec attack, ever. Microsoft let a 
plain-vanilla 0-day slip through ie6 for years


Actually, it was a not-so-vanilla use-after-free, which once upon a time 
was only thought of as a reliability problem, but lately, exploit and 
detection techniques have recently begun bearing fruit for the small 
number of people who actually know how to get code execution out of these 
bugs.  In general, Microsoft (and others) have gotten their software to 
the point where attackers and researchers have to spend a lot of time and 
$$$ to find obscure vuln types, then spend some more time and $$$ to work 
around the various protection mechanisms that exist in order to get code 
execution instead of a crash.

I can't remember the last time I saw a Microsoft product have a 
mind-numbingly-obvious problem in it.  It would be nice if statistics were 
available that measured how many person-hours and CPU-hours were used to 
find new vulnerabilities - then you could determine the ratio of 
level-of-effort to number-of-vulns-found.  That data's not available, 
though - we only have anecdotal evidence by people such as Dave Aitel and 
David Litchfield saying "it's getting more difficult and time-consuming."

- Steve
Previous By Date Next
Previous By Thread Next

Current thread: