Full Disclosure mailing list archives
Re: When do exploits get used?
From: Dave Aitel <dave () immunitysec com>
Date: Mon, 22 Mar 2004 18:30:19 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jay Beale wrote: | Luke Scharf wrote: | |> On Mon, 2004-03-22 at 14:46, Paul Schmehl wrote: |> |> |>> To think otherwise is foolish, as I said. If one isn't |>> paranoid, one probably doesn't belong in the security field. |>> If you're sitting back thinking you're safe because you're |>> patched and you patch quickly, then you're unalert and exposed. |>> |>> |> |> |> Patching, passwords, and basic-permissions *are*, however, the |> 10% of the work that gets 90% of the benefit. All the stuff that |> we get excited about here is just icing on the cake. |> |> | I think you're going to quickly change your mind as soon as the | first 0-day worm comes out. All the patching in the world doesn't | save us if the attackers ever get a widely-used exploit against a | non-public vulnerability. At that point, internal firewalling and | system hardening, to say the least, take center stage. (Of course, | you could add to these, or potentially replace these with, some | particular host-based intrusion prevention/kernel modification | solutions, but I'll leave that one alone for now.) | | The day of the 0-day worm is coming, or at least the | close-enough-to-0-day worm, that organizations that do patch often | will still get badly compromised. This basically comes down to a | question of windows of vulnerability. Your window of vulnerability | to a given exploit comes down to the sum of three time windows: Why the focus on worms again? Worms are what happen when good exploits are wasted. No one who has an exploit wants a worm to come out. This is why a real 0day worm is probably not coming out any time soon, imo. | Patching isn't really 90%. It seems like that because | organizations still aren't keeping up with patches and thus don't | know what would have happened if they had. It seems like that | because we're not getting caught in the first two parts of our | windows of vulnerability that often just yet. If a worm comes out | in time window 1 or 2, your 1-hour patch turnaround won't save you. | It always boggles me that people will patch production systems for remote SYSTEM vulnerabilities. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAX3cKzOrqAtg8JS8RAsAEAKC/mo8O2+pOvqrRy2oSdPqmMVmjoACglrMM g1N5vh1Pi+Gm3ItLYEM0xAU= =rI8X -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Operating Systems Security, "Microsoft Security, baby steps", (continued)
- Re: Operating Systems Security, "Microsoft Security, baby steps" Ben Laurie (Mar 22)
- When do exploits get used? Paul Schmehl (Mar 22)
- Re: When do exploits get used? Luke Scharf (Mar 22)
- Re: When do exploits get used? Jay Beale (Mar 22)
- Re: When do exploits get used? Luke Scharf (Mar 22)
- RE: When do exploits get used? Bill Royds (Mar 22)
- Message not available
- RE: When do exploits get used? Michael Cecil (Mar 22)
- Re: When do exploits get used? Luke Norman (Mar 24)
- Re: Operating Systems Security, "Microsoft Security, baby steps" Ben Laurie (Mar 22)
- Re: When do exploits get used? Jay Beale (Mar 23)
- Re: When do exploits get used? Luke Scharf (Mar 22)
- Re: When do exploits get used? Dave Aitel (Mar 22)