Full Disclosure mailing list archives
Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011
From: "Geoincidents" <geoincidents () getinfo org>
Date: Thu, 15 Apr 2004 07:50:15 -0400
I can see that you don't know anything about finding vulnerabilities or writing exploits. What you just said is "Hey d3wd, there's like a vulnerability in windows man, and h3h see if you can find it d00d!".
Isn't that exactly the assumption that eeye proceeds under? The original statement to which I responded suggested "what if someone exploited ASN.1 before microsoft had a patch ready". I then suggested that there are damn few people capable of finding and exploiting such without help from folks like the guys at eeye (that was not meant as a cut to Immunity, Inc. nor was I talking specifically about ASN.1). So I feel it's perfectly proper to point out that the eeye URL is a list of exploitable code that vendors have not patched yet and which eeye has not posted details (ie no help from eeye), it was actually a much more impressive list a month ago. Where are the exploits for these from the worm/virus writers, if they and the other exploit coders were so skilled Microsoft wouldn't be taking 4 - 6 months to patch this stuff. (I don't know Dave so this really isn't a reflection on his personal skill set, and I'm sure he's a responsible discloser so MS doesn't see him as a threat) If hackers could read the eeye list then find and exploit those flaws without further help from eeye then Microsoft would be forced to deal with these issues much faster. How long was this last batch of exploits posted on the eeye site before they were patched the other day? The fact that isn't happening even though eeye has posted their list should be sufficient proof that the skill set required is beyond most. Perhaps Dave is capable but doesn't feel it's worth the effort until the details are released, I could believe that, but the fact that none of the worm writers are doing it when clearly it's worth far more to them prior to a patch release is very telling. To put it another way, imagine the woody a worm writer would get from creating a worm based on a universal windows exploit like lsass or asn.1 where the worm grabbed the windows CD key like keyfinder does http://www.magicaljellybean.com/keyfinder.shtml then included the CD keys from the last 100 machines it infected in an email sent to everyone in the address book. Clearly the motivation is there, the flaws are there, it's the skill set that is missing. Geo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Hugh Mann (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Geoincidents (Apr 15)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Nicob (Apr 15)
- RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Aditya, ALD [Aditya Lalit Deshmukh] (Apr 16)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Geoincidents (Apr 15)