Dailydave mailing list archives

Re: RE: Microsoft silently fixes security vulnerabilities

From: Pusscat <pusscat () gmail com>
Date: Fri, 21 Apr 2006 11:10:02 -0400

As for time to reverse a given MS patch to find a specific vuln, it's
usually less than 2 hours from release to PoC.  Most of the time, patch day
turn around can be under 24 hours for developing a PoC for every vuln
released.

This is just an average though. Sometimes (a few lately come to mind) MS has
produced terrible patches that don't give anything away, and don't really
address the actual problem, whereas other times they practically hand you
the vuln gift wrapped in their FAQ or mitigations.

On 4/21/06 2:39 AM, "Steve Manzuik" <smanzuik () eeye com> wrote:

Interesting response Ari.

Consider this scenario:
 
Researcher finds and reports Vulnerability A.  It is a remote code
execution but exploitation of the vulnerability is difficult.

Vendor during their investigation identifies code affected by
Vulnerability A and also identifies Vulnerability B which is also a
remote code execution but much easier to exploit.  Both A and B exist in
the same function.

Vendor says nothing about Vulnerability B but patches both in their
release and rates it Critical.

Researcher releases advisory on Vulnerability A and agrees with others
who point out the difficulty in reliable exploitation.

Corporation observes that Vulnerability A is difficult to exploit and
therefore lowers their internal risk rating and simply schedules the
patch for the next available change window.  Signature based protections
are updated and false sense of security sets in... Beers are drank
everywhere.

Attacker (or anyone for that matter) reverse engineers the patch,
identifies Vulnerability B and realizes that it is much more reliable to
exploit than the publicly disclosed vulnerability.

Corporation gets owned.  Hung over IT guy develops an ulcer if he didn't
have one already.

Anyone who has spent anytime as the "IT guy" has learned the hard way to
not explicitly trust the os vendor.  Why do we recommend the best
practice of setting up test beds for patches?  Why do we recommend
proper change control and change management --- because our operating
system vendors have steered us wrong  enough in the past to cause us
considerable job related stress.

I would love to see some stats from others on here on how long it takes
you to reverse a patch (use MS as an example if you want) and identify
the vulnerability.  I do remember vaguely some numbers tossed out by
Dave... But that was during much beers at the first PacSec.  :P


Cheers;

Steve Manzuik
(thanking some random religious symbol that he isn't an "IT guy")


~ Puss

Current thread:

Microsoft silently fixes security vulnerabilities Marc_Bevand (Apr 15)
- <Possible follow-ups>
- RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 17)
- RE: Microsoft silently fixes security vulnerabilities Ari Takanen (Apr 19)
  - Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
    - Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 23)
    - Re: RE: Microsoft silently fixes security vulnerabilities Nick DeBaggis (Apr 23)
    - Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 24)
- SV: RE: Microsoft silently fixes security vulnerabilities Carl-Johan Bostorp (Apr 20)
- RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 21)
  - Re: RE: Microsoft silently fixes security vulnerabilities Bryan Burns (Apr 21)
  - Re: RE: Microsoft silently fixes security vulnerabilities Pusscat (Apr 21)
- RE: RE: Microsoft silently fixes security vulnerabilities Boily, Yvan (EST) (Apr 21)
- RE: RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 21)