SV: RE: Microsoft silently fixes security vulnerabilities

["Carl-Johan Bostorp" <carl-johan.bostorp () hps se>]

Hi Ari,

Interesting distinction there between reactive and proactive. Perhaps this distinction also identifies two different 
needs for information? (You've obviously thought about it, but I'd like to elaborate on it) Exactly *who* are you 
protecting from *what* by withholding information?

While it is true that removing the disclosure step will decrease the NUMBER of people knowing about and exploiting the 
vulnerability, there will still be people who know about it and my guess is that those are also the people who are able 
to cause the greatest impact. And it seems we share the belief that where patches aren't installed right away, can be 
the places where the biggest impact can be made.

So, if you're not willing to inform just how badly the patch needs to be applied, maybe it won't be done and the 
consequence will be that the people who are capable of causing the most damage, still have the possibility of doing so. 
For some environments this might not be a big issue as they're not likely to attract that kind of attention from such 
people, but there are still quite some targets out there that are. 

Also, there's another aspect to this as some licenses (or other reasons) requires that even if you own the box and 
operate it in your network, you're not allowed to apply any patches to it. Security here needs to be dealt with 
differently, and one of the methods that can be used is using an IPS. Hopefully, those IPSs are so tightly set to begin 
with that they won't be affected by any of your fuzzer-found vulnerabilities, but what if there is a vulnerability that 
would pass? How would one know that without you releasing any information (or, of course, they themselves decompile the 
patch to see for themselves what's done).

Not disclosing full information about your patches sets you up for a serious trust issue, and if organisations are to 
be REQUIRED to do decompile and manually inspect every patch you provide, they're not gonna be happy and I'm guessing 
chances are that most don't do it today and won't do it until some pen-tester comes along, exploits a bug and reminds 
them that it is *NOT* only a theoretical requirement, that the threat is real and the consequences can be grave.

This discussion obviously opens up for how one would like things to be run in these organisations, but I think change 
there takes time and in the mean time I think it's important to adapt to what actually exists right now.

/C-J


-----Ursprungligt meddelande-----
Från: Ari Takanen [mailto:art () codenomicon com] 
Skickat: den 19 april 2006 14:42
Till: dailydave () lists immunitysec com
Kopia: Marc_Bevand () rapid7 com
Ämne: [Dailydave] RE: Microsoft silently fixes security vulnerabilities

Hello all,

Are you sure you want to do risk assessment for all the thousands of security flaws that e.g. our robustness testing 
tools can find? Do you want to add filters and protections for all the millions of attack simulations that fuzzing 
tools can generate? Can you protect against e.g. all the attacks that PROTOS tools simulate?

...

---