Dailydave mailing list archives

Re: RE: Microsoft silently fixes security vulnerabilities

From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Thu, 20 Apr 2006 09:21:26 -0500

On Wednesday 19 April 2006 07:42, Ari Takanen wrote:

So Steve I agree most vendors would prefer fixing the security
problems quietly like any other quality problems, and in my opinion
this is a perfect method of handling vulnerabilities.


That doesn't work. The fact that vendors are doing this is one of the 
contributing factors for many of the flaws I find. Without detailed 
information about what bugs have been fixed, I have to spend even more 
time trying to figure out what bug relates to the patch. I end up finding 
all the bugs I wasn't looking for. Below are some example Metasploit 
modules of "finding the wrong bug" after a public disclosure:

ie_iscomponentinstalled - Silently patched in XP SP0/2000 SP4
hpux_lpd_exec - Silently patched sometime between 1999 and 2001
rsa_iiswebagent_redirect - Found while looking for the heap overflow
solaris_lpd_unlink - Found when working on the command execution bug
arkeia_agent_access - Found when working on the 'Type 77' overflow

Another example of someone uncovering a "better bug" is Solar Eclipse's 
exploit for MS04-007:
http://www.phreedom.org/solar/exploits/msasn1-bitstring/

I still have a handful of bugs sitting around for Timbuktu - the company 
that released the last advisory wouldn't provide details, so I spent four 
hours looking for it, and keep finding new ones. I contacted the company 
and offered to give them the new bugs for information on the old one - I 
was trying to write a vulnerability check and this was taking too long as 
is. The company refused, citing their disclosure policy, and I still 
haven't got around to writing the advisories.

Silent patching helps attackers by preventing the NIPS/HIPS/VA companies 
from being able to protect their customers. In previous pen-test 
engagements, I preferred to use an unknown, but patched flaw over a 
widely-reported one every time. The admin doesn't know about it, the 
vendor has a patch for it, and I don't have to worry about anyone having 
a signature for it.

-HD

Current thread:

Microsoft silently fixes security vulnerabilities Marc_Bevand (Apr 15)
- <Possible follow-ups>
- RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 17)
- RE: Microsoft silently fixes security vulnerabilities Ari Takanen (Apr 19)
  - Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
    - Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 23)
    - Re: RE: Microsoft silently fixes security vulnerabilities Nick DeBaggis (Apr 23)
    - Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 24)
- SV: RE: Microsoft silently fixes security vulnerabilities Carl-Johan Bostorp (Apr 20)
- RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 21)
  - Re: RE: Microsoft silently fixes security vulnerabilities Bryan Burns (Apr 21)
  - Re: RE: Microsoft silently fixes security vulnerabilities Pusscat (Apr 21)
- RE: RE: Microsoft silently fixes security vulnerabilities Boily, Yvan (EST) (Apr 21)
- RE: RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 21)