Dailydave mailing list archives
Re: The lack of hard questions
From: "Pusscat" <pusscat () metasploit com>
Date: Wed, 3 Sep 2008 10:44:27 -0400
Bringing this back around to the main question, apart from the idea that it's difficult to say with certainty that an vuln is not exploitable, Microsoft is really asking how likely are we to see a reliable exploit in the wild. I think this is a much easier question to answer, because there are other important limiting factors in the decision to even work on an exploit, such as: - Deployment width of the vulnerable service - Likelihood of exposure - Effort / gain ratio of exploit dev - Something /else/ better being released in the same patch package (is there something else tastier and easier? Might as well attack that if the two vulns are in the same patch set) So often one can look at a bug and say, this is difficult, it might not be reliable, not everyone will have this turned on, and hey look, they killbitted an active X control that's easy in the same KB number. Screw it. I'll write the AX exploit instead and get better ROI. This is why I don't think that in most cases these estimations will be far off, especially considering the crowd that'll be looking the possibilities over. The real questions only occur when they release a kernel bug just after a holiday that effects everyone, and no one is sure if it's possible to gain execution, but it sure looks delicious ;) ~ Lurene -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Matt Sent: Tuesday, September 02, 2008 4:41 PM To: Charles Miller Cc: dailydave () lists immunitysec com Subject: Re: [Dailydave] The lack of hard questions On Mon, 1 Sep 2008, Charles Miller wrote:
First off, I'm not a MS hater. I'm sure MS has security guys better
Hey Charles, It's interesting that you have to note this in the first place. I am noticing that people are pulling out the "anti-Microsoft" label a lot when they want to deflate the legitimacy of what someone is saying. It's getting really irritating. I don't know if this was a concerted effort planned by Microsoft to induce sympathy, or what. Last year, Luis and I actually had one of our students put in the comments that we were anti-Microsoft. The entire code for bugreport, that we use as a reference implementation, is written in C# for fuck's sake! Just because people aren't wearing out their knees (and jaws) continually worshipping at the shrine of Microsoft doesn't mean they're "against" everything that everyone working for Microsoft has accomplished. Quite the contrary, for me, anyways. It's when I see something good that's so close to being great and falling short for no reason, it's just that much more disappointing. Really looking forward to spherical Surface and holographic displays being purchasable soon, and a fully managed OS :) -- tangled strands of DNA explain the way that I behave. http://www.clock.org/~matt _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: The lack of hard questions, (continued)
- Re: The lack of hard questions security curmudgeon (Aug 26)
- Re: The lack of hard questions Dave Aitel (Aug 26)
- Re: The lack of hard questions Mike Reavey (Sep 01)
- Re: The lack of hard questions dan (Sep 02)
- Re: The lack of hard questions Dave Aitel (Aug 26)
- Re: The lack of hard questions security curmudgeon (Aug 26)
- Re: The lack of hard questions Charles Miller (Aug 26)
- Re: The lack of hard questions Pusscat (Aug 27)
- Message not available
- Re: The lack of hard questions Charles Miller (Sep 01)
- Re: The lack of hard questions ergosum (Sep 01)
- Re: The lack of hard questions Charles Miller (Sep 02)
- Re: The lack of hard questions Matt (Sep 03)
- Re: The lack of hard questions Pusscat (Sep 03)
- Re: The lack of hard questions Pusscat (Aug 27)
- Re: The lack of hard questions Matthieu Suiche (Sep 02)
- Re: The lack of hard questions Charles Miller (Sep 03)
- Re: The lack of hard questions Trygve Aasheim (Sep 03)