Penetration Testing mailing list archives

Re: New article on SecurityFocus

From: "Drew Simonis" <simonis () myself com>
Date: Fri, 06 Jan 2006 10:21:36 -0500


Overall, I think community's coverage of wmf has been delivered 
with an ounce of perception, and a pound of obscurity.  It's almost 
as if people *want* it to be worse than it is.  I'm not surprised, 
of course.  But regardless,  my call is that we'll see a little 
activity here and there, the patch will come out, most will install 
it (or have it installed automatically) and the whole issue will 
fade away.  But that's all.

We'll know for sure shortly, either way.

Thor,
I think your path of thought is stuck a bit in the past. Worms are neat as a technical exercise, but we see more and
more that the attackers are increasingly aware of the value of these vulnerabilities from a financial perspective, not
merely for notoriety. As such, it benefits the attacker to have a less subtle attack, one that does not sensationalize
the vulnerability. Complacency is their ally.

That said, there are already numerous (hundreds+) "legitimate" web sites that have been compromised and had exploit
images injected into their content. There are also already hundreds of thousands of machines that have been infected
with Trojans or bots. These infected machines will patch, but they won't be safe, and the problem gets worse.

So no, there won't be some catastrophic worm event. But I posit that what there will be could be much worse.

--
___________________________________________________
Play 100s of games for FREE! http://games.mail.com/

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

RE: New article on SecurityFocus, (continued)
- RE: New article on SecurityFocus Brady McClenon (Jan 06)
  - RE: New article on SecurityFocus Larry Seltzer (Jan 06)
    - RE: New article on SecurityFocus Erin Carroll (Jan 06)
  - Re: New article on SecurityFocus Socrates (Jan 07)
  - RE: New article on SecurityFocus Murad Talukdar (Jan 09)
  - RE: New article on SecurityFocus Murad Talukdar (Jan 09)
- RE: New article on SecurityFocus Brady McClenon (Jan 06)
  - Re: New article on SecurityFocus Robin (Jan 06)
  - RE: New article on SecurityFocus Jim Clausing (Jan 07)
- RE: New article on SecurityFocus Erin Carroll (Jan 07)
- Re: New article on SecurityFocus Drew Simonis (Jan 07)
  - Re: New article on SecurityFocus Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Jan 07)
- RE: New article on SecurityFocus Derick Anderson (Jan 09)
- RE: New article on SecurityFocus Brady McClenon (Jan 09)
  - RE: New article on SecurityFocus Larry Seltzer (Jan 09)
- RE: New article on SecurityFocus Brady McClenon (Jan 09)
  - RE: New article on SecurityFocus Richard Zaluski (Jan 09)