Dailydave mailing list archives
Re: RE: Microsoft silently fixes security vulnerabilities
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Thu, 20 Apr 2006 09:21:26 -0500
On Wednesday 19 April 2006 07:42, Ari Takanen wrote:
So Steve I agree most vendors would prefer fixing the security problems quietly like any other quality problems, and in my opinion this is a perfect method of handling vulnerabilities.
That doesn't work. The fact that vendors are doing this is one of the contributing factors for many of the flaws I find. Without detailed information about what bugs have been fixed, I have to spend even more time trying to figure out what bug relates to the patch. I end up finding all the bugs I wasn't looking for. Below are some example Metasploit modules of "finding the wrong bug" after a public disclosure: ie_iscomponentinstalled - Silently patched in XP SP0/2000 SP4 hpux_lpd_exec - Silently patched sometime between 1999 and 2001 rsa_iiswebagent_redirect - Found while looking for the heap overflow solaris_lpd_unlink - Found when working on the command execution bug arkeia_agent_access - Found when working on the 'Type 77' overflow Another example of someone uncovering a "better bug" is Solar Eclipse's exploit for MS04-007: http://www.phreedom.org/solar/exploits/msasn1-bitstring/ I still have a handful of bugs sitting around for Timbuktu - the company that released the last advisory wouldn't provide details, so I spent four hours looking for it, and keep finding new ones. I contacted the company and offered to give them the new bugs for information on the old one - I was trying to write a vulnerability check and this was taking too long as is. The company refused, citing their disclosure policy, and I still haven't got around to writing the advisories. Silent patching helps attackers by preventing the NIPS/HIPS/VA companies from being able to protect their customers. In previous pen-test engagements, I preferred to use an unknown, but patched flaw over a widely-reported one every time. The admin doesn't know about it, the vendor has a patch for it, and I don't have to worry about anyone having a signature for it. -HD
Current thread:
- Microsoft silently fixes security vulnerabilities Marc_Bevand (Apr 15)
- <Possible follow-ups>
- RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 17)
- RE: Microsoft silently fixes security vulnerabilities Ari Takanen (Apr 19)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Nick DeBaggis (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 24)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Bryan Burns (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Pusscat (Apr 21)