Re: Faster, smashter.

["Marc Maiffret" <marc () marcmaiffret com>]

I remember when I first read an email from some people in ADM, I believe,
whom were advocating that researchers should stop publishing
vulnerabilities/exploits and start keeping things underground. To me it was
as much a signaling to the last days of hacking as it was to the start of
the vulnerability well drying up. The whole world was about to be breathing
down Microsoft's neck over the next few years, Trustworthy Computing would
be born, and Microsoft would end up being no longer the security
laughingstock but the company most people would recognize as a leader by
example for what companies like Adobe and others should be doing. Not to say
they are by any means perfect :-)

In the late 90's there were more zeroday vulnerabilities than anyone knew
what to do with. Most of these exploits were not even that private and even
floated on many security mailing lists for a very long time before they were
ever patched. As the security industry started to boom in the early 00's a
lot of researchers realized that vulnerabilities were of marketing value for
both themselves and the companies that hired them. Security companies and
researchers went absolutely nuts harvesting every vulnerability they could
as quickly as possible. In parallel people wishing to break into systems or
write worms never had to worry about finding vulnerabilities of their own as
there was no shortage of vulnerabilities. But A good thing never lasts...

After enough punches to the face Microsoft decided to finally do something
about their security problem beyond marketing rhetoric and spend whatever
amount of money required to solve this unsolvable problem. The combination
of Microsoft doing everything it could to find and remediate its own
vulnerabilities, along with researchers and security companies working in a
frenzy to get credit for the next vulnerability, made for the drying of the
well to happen even faster than most anyone could have anticipated.

The well that so many people, for so many reasons, use to go to is
continuing to dry up at a rapid pace. This has required things like zeroday
vulnerabilities to become a reality again as a means not of being the
biggest and baddest threat but of simple survival against a software giant
that truly has been awoken.

As we continue down this path of eroding vulnerabilities people will cling
to their zeroday vulnerabilities even more, driving the price of zeroday
vulnerabilities up but the usage of these vulnerabilities down. They will be
worth too much to waste on the masses. Not that there won't be the
unexplainable crazy attacker here or there. This for the most part is
already the case now and even more so in the future. 

The biggest threat to the average computer user is not zeroday
vulnerabilities but system misconfigurations and vulnerabilities within
third party applications. Most organizations are only just starting to get a
handle on patching Microsoft vulnerabilities let alone third party
applications. This becomes even more apparent with consumers and small to
medium sized businesses where they only have Windows Update and WSUS to
depend on. There is simply no third party patching being done in these
environments making it a LOT more likely for them to get owned with a 6
month old Adobe Acrobat vulnerability than some zeroday vulnerability. This
is currently the lowest hanging fruit for attackers and does not require an
attacker to have large sums of money to waste on buying zeroday attacks.
Microsoft knows this is a bigger threat to their customers right now than
zeroday vulnerabilities. Maybe they will finally do what they mentioned so
many years ago and open Windows Update to third party vendors and continue
to dry the well some more.

Security to me is about vigilance, intellect and tenacity... Some people are
simply not cut out for a race that has no finish line and many of the people
who could make a difference are not willing to risk their egos and
reputations to find solutions to problems we all repeat like broken records.
But we can talk about all of this and why anti-virus sucks all over again
next year or maybe all of us risk intellectuals can start taking some risks
of our own.

-Marc Maiffret

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave