Dailydave mailing list archives
RE: Microsoft silently fixes security vulnerabilities
From: "Steve Manzuik" <smanzuik () eeye com>
Date: Thu, 20 Apr 2006 23:39:36 -0700
Interesting response Ari. Consider this scenario: Researcher finds and reports Vulnerability A. It is a remote code execution but exploitation of the vulnerability is difficult. Vendor during their investigation identifies code affected by Vulnerability A and also identifies Vulnerability B which is also a remote code execution but much easier to exploit. Both A and B exist in the same function. Vendor says nothing about Vulnerability B but patches both in their release and rates it Critical. Researcher releases advisory on Vulnerability A and agrees with others who point out the difficulty in reliable exploitation. Corporation observes that Vulnerability A is difficult to exploit and therefore lowers their internal risk rating and simply schedules the patch for the next available change window. Signature based protections are updated and false sense of security sets in... Beers are drank everywhere. Attacker (or anyone for that matter) reverse engineers the patch, identifies Vulnerability B and realizes that it is much more reliable to exploit than the publicly disclosed vulnerability. Corporation gets owned. Hung over IT guy develops an ulcer if he didn't have one already. Anyone who has spent anytime as the "IT guy" has learned the hard way to not explicitly trust the os vendor. Why do we recommend the best practice of setting up test beds for patches? Why do we recommend proper change control and change management --- because our operating system vendors have steered us wrong enough in the past to cause us considerable job related stress. I would love to see some stats from others on here on how long it takes you to reverse a patch (use MS as an example if you want) and identify the vulnerability. I do remember vaguely some numbers tossed out by Dave... But that was during much beers at the first PacSec. :P Cheers; Steve Manzuik (thanking some random religious symbol that he isn't an "IT guy")
Current thread:
- Microsoft silently fixes security vulnerabilities Marc_Bevand (Apr 15)
- <Possible follow-ups>
- RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 17)
- RE: Microsoft silently fixes security vulnerabilities Ari Takanen (Apr 19)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Nick DeBaggis (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 24)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Bryan Burns (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Pusscat (Apr 21)