Full Disclosure mailing list archives
Re: David Litchfield talks about the SQL Worm in the Washington Post
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 29 Jan 2003 16:00:19 -0500 (EST)
Georgi Guninski said:
This sql hype highly resembles the code red stuff. Then people accused eeye for releasing the bug, though they didn't provide exploit code. IIRC Litchfield also didn't provide exploit code. Should advisories be "There is a bug. Go patch. End."?
Simply put, no. For CVE, we regularly - almost daily - run into situations where we can't figure out *which* bug a vendor actually patched. This is especially problematic with software that's used by multiple vendors, and/or with vendors who do not provide specific credits to researchers or other cross-references, but it also happens even with the best of intentions. Consider the series of closely-related PostgreSQL vulnerabilities that were posted in August 2002, where careful analysis shows that it's difficult to tell which vendors fixed which issues. In the process of asking vendors for clarification, we have sometimes found they did not patch the bugs that they think they did. We've encountered this issue with nearly every major OS vendor out there, whether open or closed source. Tracking down these small but important inconsistencies is extremely difficult when there are only "there is a bug" advisories. Experience has shown that to sufficiently distinguish between vulnerabilities, we often need some notion of what the attack vector (or function) is. Also, consider problems like buffer overflows, which these days can include "new" bugs like integer overflows and signedness errors, array index modification, field length tampering, etc. Without some sense of details, the consumer can't tell if a product has "the same old obvious vulnerabilities" or some new flavors. As an example, many of last year's OpenSSH bugs were "interesting" and "new," or at least not the same old obvious overflows - even if they were called overflows. This can be inferred from the patches in the cases where the advisories are not so precise. On the other hand, one is rarely certain whether the buffer overflows being reported for Microsoft products are the "classic" overflows or the "new" overflows, because there often isn't much detail in the Microsoft bulletins or even independent researcher advisories. - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- David Litchfield talks about the SQL Worm in the Washington Post Richard M. Smith (Jan 29)
- Re: David Litchfield talks about the SQL Worm in the Washington Post Georgi Guninski (Jan 29)
- RE: David Litchfield talks about the SQL Worm in the Washington Post Richard M. Smith (Jan 29)
- RE: David Litchfield talks about the SQL Worm in the Washington Post Geo (Jan 29)
- <Possible follow-ups>
- Re: David Litchfield talks about the SQL Worm in the Washington Post Steven M. Christey (Jan 29)
- Re: David Litchfield talks about the SQL Worm in the Washington Post auto68182 (Jan 30)
- Re: David Litchfield talks about the SQL Worm in the Washington Post Georgi Guninski (Jan 29)