Spooling for root

[Dave Aitel <dave () immunitysec com>]

So I was on the plane back from Vancouver (Congrats K2 and Mrs. K2!) and 
I'm thinking, if Immunity, which has .5 people doing research at any 
given time, had one out of the three critical MS bugs last month,  what 
are the chances that anyone with, say, a tiny team of 10 people, didn't 
have them all a few years back? I think it'd be interesting to see how 
many bugs Immunity, with .5 people, has over a long period of time 
compared to what, say, an organization with a measly 10 people on 
research has.

If I had a ton of cash, and some reason to do research, I'd probably 
have two 10 person teams. The first 10 person team would be using 
today's technology to find and exploit bugs. The second team would be 
building the next generation of audit and analysis tools. Obviously I 
don't, or we'd have had more than the one bug this month. I think I 
could pretty much guarantee complete coverage that way. Anyone want to 
bet a few million bucks on it?

So I guess the question is, does the Chinese/Russian/US govt have such a 
setup, and is it a worry for your particular organization? There's a lot 
of organizations out there that HAVE bet a few million bucks that no one 
is good enough to have 0day. Gotta laugh at that.

Today we released a finished (mostly local) TAPI and (multi-language) 
Spooler and (again, multi-language) PNP from the Partner's program into 
CANVAS Professional. This means some of the cheaper IDS's which haven't 
paid for the Partner program , but do have CANVAS Professional, will 
start detecting Spooler and Tapi. But does that mean that there are MORE 
Spooler attacks, or that the Spooler attacks that have been out there 
for years are starting to be seen? I wonder if MS will change their web 
page to remove the stuff about Spooler being a DoS. Our exploit has this 
funny "bug" where it pops up two shells every time by mistake. That's 
twice the not-a-DoS for the price of one...

Is anyone at Syscan in Bangkok? Theoretically, today is the first day 
Window can post to this list, so maybe she'll give us a conference 
roundup. I guess it's also possible The Grugq will enlighten us, 
probably from in between some well deserved forensic debauchery.

-dave