Dailydave mailing list archives
Re: Faster, smashter.
From: "Marc Maiffret" <marc () marcmaiffret com>
Date: Wed, 10 Dec 2008 01:33:42 -0800
I remember when I first read an email from some people in ADM, I believe, whom were advocating that researchers should stop publishing vulnerabilities/exploits and start keeping things underground. To me it was as much a signaling to the last days of hacking as it was to the start of the vulnerability well drying up. The whole world was about to be breathing down Microsoft's neck over the next few years, Trustworthy Computing would be born, and Microsoft would end up being no longer the security laughingstock but the company most people would recognize as a leader by example for what companies like Adobe and others should be doing. Not to say they are by any means perfect :-) In the late 90's there were more zeroday vulnerabilities than anyone knew what to do with. Most of these exploits were not even that private and even floated on many security mailing lists for a very long time before they were ever patched. As the security industry started to boom in the early 00's a lot of researchers realized that vulnerabilities were of marketing value for both themselves and the companies that hired them. Security companies and researchers went absolutely nuts harvesting every vulnerability they could as quickly as possible. In parallel people wishing to break into systems or write worms never had to worry about finding vulnerabilities of their own as there was no shortage of vulnerabilities. But A good thing never lasts... After enough punches to the face Microsoft decided to finally do something about their security problem beyond marketing rhetoric and spend whatever amount of money required to solve this unsolvable problem. The combination of Microsoft doing everything it could to find and remediate its own vulnerabilities, along with researchers and security companies working in a frenzy to get credit for the next vulnerability, made for the drying of the well to happen even faster than most anyone could have anticipated. The well that so many people, for so many reasons, use to go to is continuing to dry up at a rapid pace. This has required things like zeroday vulnerabilities to become a reality again as a means not of being the biggest and baddest threat but of simple survival against a software giant that truly has been awoken. As we continue down this path of eroding vulnerabilities people will cling to their zeroday vulnerabilities even more, driving the price of zeroday vulnerabilities up but the usage of these vulnerabilities down. They will be worth too much to waste on the masses. Not that there won't be the unexplainable crazy attacker here or there. This for the most part is already the case now and even more so in the future. The biggest threat to the average computer user is not zeroday vulnerabilities but system misconfigurations and vulnerabilities within third party applications. Most organizations are only just starting to get a handle on patching Microsoft vulnerabilities let alone third party applications. This becomes even more apparent with consumers and small to medium sized businesses where they only have Windows Update and WSUS to depend on. There is simply no third party patching being done in these environments making it a LOT more likely for them to get owned with a 6 month old Adobe Acrobat vulnerability than some zeroday vulnerability. This is currently the lowest hanging fruit for attackers and does not require an attacker to have large sums of money to waste on buying zeroday attacks. Microsoft knows this is a bigger threat to their customers right now than zeroday vulnerabilities. Maybe they will finally do what they mentioned so many years ago and open Windows Update to third party vendors and continue to dry the well some more. Security to me is about vigilance, intellect and tenacity... Some people are simply not cut out for a race that has no finish line and many of the people who could make a difference are not willing to risk their egos and reputations to find solutions to problems we all repeat like broken records. But we can talk about all of this and why anti-virus sucks all over again next year or maybe all of us risk intellectuals can start taking some risks of our own. -Marc Maiffret _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Faster, smashter. Dave Aitel (Dec 08)
- Re: Faster, smashter. Fisher, Dennis (Dec 08)
- Re: Faster, smashter. Dragos Ruiu (Dec 08)
- Re: Faster, smashter. Halvar Flake (Dec 09)
- Re: Faster, smashter. Dave Aitel (Dec 09)
- Re: Faster, smashter. Rafal @ IsHackingYou.com (Dec 09)
- Re: Faster, smashter. dan (Dec 09)
- Re: Faster, smashter. Marc Maiffret (Dec 10)
- Re: Faster, smashter. Dragos Ruiu (Dec 08)
- Re: Faster, smashter. Halvar Flake (Dec 09)
- Re: Faster, smashter. security curmudgeon (Dec 09)
- Re: Faster, smashter. Jon Passki (Dec 09)
- Re: Faster, smashter. Fisher, Dennis (Dec 08)