Secure Coding mailing list archives
BSIMM update (informIT)
From: coley at linus.mitre.org (Steven M. Christey)
Date: Thu, 4 Feb 2010 14:23:20 -0500 (EST)
On Thu, 4 Feb 2010, Jim Manico wrote:
These companies are examples of recent "epic security failure". Probably the most financially damaging infosec attack, ever. Microsoft let a plain-vanilla 0-day slip through ie6 for years
Actually, it was a not-so-vanilla use-after-free, which once upon a time was only thought of as a reliability problem, but lately, exploit and detection techniques have recently begun bearing fruit for the small number of people who actually know how to get code execution out of these bugs. In general, Microsoft (and others) have gotten their software to the point where attackers and researchers have to spend a lot of time and $$$ to find obscure vuln types, then spend some more time and $$$ to work around the various protection mechanisms that exist in order to get code execution instead of a crash. I can't remember the last time I saw a Microsoft product have a mind-numbingly-obvious problem in it. It would be nice if statistics were available that measured how many person-hours and CPU-hours were used to find new vulnerabilities - then you could determine the ratio of level-of-effort to number-of-vulns-found. That data's not available, though - we only have anecdotal evidence by people such as Dave Aitel and David Litchfield saying "it's getting more difficult and time-consuming." - Steve
Current thread:
- BSIMM update (informIT), (continued)
- BSIMM update (informIT) McGovern, James F. (eBusiness) (Feb 04)
- BSIMM update (informIT) Brian Chess (Feb 04)
- BSIMM update (informIT) Gary McGraw (Feb 04)
- BSIMM update (informIT) McGovern, James F. (eBusiness) (Feb 04)
- BSIMM update (informIT) McGovern, James F. (eBusiness) (Feb 04)
- BSIMM update (informIT) Wall, Kevin (Feb 02)
- BSIMM update (informIT) Steven M. Christey (Feb 02)
- BSIMM update (informIT) Gary McGraw (Feb 03)
- BSIMM update (informIT) Mike Boberski (Feb 03)
- BSIMM update (informIT) Steven M. Christey (Feb 03)
- BSIMM update (informIT) Jim Manico (Feb 04)
- BSIMM update (informIT) Steven M. Christey (Feb 04)
- BSIMM update (informIT) Gary McGraw (Feb 04)
- Thread is dead -- Re: BSIMM update (informIT) Kenneth Van Wyk (Feb 04)
- Message not available
- Message not available
- BSIMM update (informIT) Steven M. Christey (Feb 04)
- BSIMM update (informIT) Steven M. Christey (Feb 02)
- Metrics McGovern, James F. (eBusiness) (Feb 05)
- Metrics Steven M. Christey (Feb 05)
- Metrics Arian J. Evans (Feb 05)
- BSIMM update (informIT) Steven M. Christey (Feb 02)
- BSIMM update (informIT) Mike Boberski (Feb 02)
- BSIMM update (informIT) Gary McGraw (Feb 03)