Full Disclosure mailing list archives
Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)
From: Benji <me () b3nji com>
Date: Sun, 21 Apr 2013 00:43:15 +0100
Sorry, by flaws, I should have said, *"has not prevent bad code/ineffective patches from being pushed out" On Sun, Apr 21, 2013 at 12:41 AM, Benji <me () b3nji com> wrote:
(For example, http://webcache.googleusercontent.com/search?q=cache:2cXGaaHnqyMJ:www.computerworld.com/s/article/9235954/Researchers_find_critical_vulnerabilities_in_Java_7_Update_11+&cd=8&hl=en&ct=clnk&gl=uk) On Sun, Apr 21, 2013 at 12:37 AM, Benji <me () b3nji com> wrote:Because security engineers are different to a QA department you originally suggested, and you seem to be very ideologist about the scenarios. As we've seen, Oracle's Java product has security engineers and this has not prevented flaws. On Sun, Apr 21, 2013 at 12:34 AM, Bryan <bryan () unhwildhats com> wrote:"Your 5-chained-0day-to-code-exec, in my opinion, does not count as negligence and comes from the developer effectively not being a security engineer" Solution: Hire security engineers. "In my opinion we are not at the stage in industry where we can consider/expect any developer to think through each implication of each feature they implement" Solution: Hire security engineers to think through each implication. Why are we disagreeing? On Sun, Apr 21, 2013 at 12:11:51AM +0100, Benji wrote:Your proposition was that developers will always make mistakes and introduce stupid problems, so a QA team/process is necessary. WhileIagree that there should be a QA/'audit' at some point, it shouldntbe thestage that is relied on. Applications that are flawed from thedesignstage onwards will become expenditure blackholes, especially aftergoingthrough any QA process which should highlight these. Potentially yes, but most of the larger companies appear to alreadydothis. A quick search through google shows that Oracle atleastalreadyhave, and/or are actively hiring security engineers involved withJava(for example). Flaws will always pop up and I think we may now be bordering ondiscussingwhat counts as negligence in some cases. Your5-chained-0day-to-code-exec,in my opinion, does not count as negligence and comes from thedevelopereffectively not being a security engineer, but doing the job of a developer. In my opinion we are not at the stage in industry wherewe canconsider/expect any developer to think through each implication ofeachfeature they implement, without a strong security background asmuch as wemay appreciate it. Negligence in my opinion of securityvulnerabilities ishaving obvious format string bugs/buffer overflows when handlinguserinput for example, or incorrect permissions, or just a lack of consideration to obvious problems. Developer training should pickup onthe obvious bugs, or atleast give developers an understanding ofhow tohandle users/user input in a safe manner, and know the implicationsof notdoing so. On Sat, Apr 20, 2013 at 11:58 PM, Bryan <bryan () unhwildhats com>wrote:I think the definition of 'needless staff' highly depends onwhether youwant 'vulnerable software'. Educating current developers is absolutely a good idea, but stillnotfoolproof. The bottom line is that if you want safe software, youneedto invest in proper development. As far as I am concerned, forlargecompanies like Adobe and Oracle, where software bugs in yourproducthave a direct impact on the safety of your customers, thatinvolveshiring specialized staff.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555), (continued)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Benji (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Benji (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Bryan (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Benji (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Benji (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Bryan (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Benji (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Bryan (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Benji (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Benji (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Benji (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Bryan (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Valdis . Kletnieks (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) phocean (Apr 20)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Jeffrey Walton (Apr 21)
- Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555) Benji (Apr 22)