Re: The lack of hard questions

["Pusscat" <pusscat () metasploit com>]

Bringing this back around to the main question, apart from the idea that
it's difficult to say with certainty that an vuln is not exploitable,
Microsoft is really asking how likely are we to see a reliable exploit in
the wild. I think this is a much easier question to answer, because there
are other important limiting factors in the decision to even work on an
exploit, such as:

- Deployment width of the vulnerable service
- Likelihood of exposure
- Effort / gain ratio of exploit dev
- Something /else/ better being released in the same patch package (is there
something else tastier and easier? Might as well attack that if the two
vulns are in the same patch set)

So often one can look at a bug and say, this is difficult, it might not be
reliable, not everyone will have this turned on, and hey look, they
killbitted an active X control that's easy in the same KB number. Screw it.
I'll write the AX exploit instead and get better ROI.

This is why I don't think that in most cases these estimations will be far
off, especially considering the crowd that'll be looking the possibilities
over.

The real questions only occur when they release a kernel bug just after a
holiday that effects everyone, and no one is sure if it's possible to gain
execution, but it sure looks delicious ;)

~ Lurene


-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Matt
Sent: Tuesday, September 02, 2008 4:41 PM
To: Charles Miller
Cc: dailydave () lists immunitysec com
Subject: Re: [Dailydave] The lack of hard questions

On Mon, 1 Sep 2008, Charles Miller wrote:

> First off, I'm not a MS hater.  I'm sure MS has security guys better

Hey Charles,

It's interesting that you have to note this in the first place.

I am noticing that people are pulling out the "anti-Microsoft" label a lot 
when they want to deflate the legitimacy of what someone is saying. It's 
getting really irritating. I don't know if this was a concerted effort 
planned by Microsoft to induce sympathy, or what.

Last year, Luis and I actually had one of our students put in the comments 
that we were anti-Microsoft. The entire code for bugreport, that we use as 
a reference implementation, is written in C# for fuck's sake!

Just because people aren't wearing out their knees (and jaws) continually 
worshipping at the shrine of Microsoft doesn't mean they're "against" 
everything that everyone working for Microsoft has accomplished. Quite the 
contrary, for me, anyways. It's when I see something good that's so 
close to being great and falling short for no reason, it's just that much 
more disappointing.

Really looking forward to spherical Surface and holographic displays being 
purchasable soon, and a fully managed OS :)

--
tangled strands of DNA explain the way that I behave.
http://www.clock.org/~matt
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave