funsec mailing list archives

Previous By Date Next
Previous By Thread Next

vulnerability overstatement

From: "Larry Seltzer" <larry () larryseltzer com>
Date: Wed, 20 Jan 2010 16:53:06 -0500
It bugs me that (in general) security researchers and vendors never give
a full picture of mitigating factors and limitations when discussing an
attack. They want users to perceive the threat to be as widespread as
possible. Remember, those guys are just in it for the money too.

 

Let's compare two very recent examples: VUPEN's DEP-bypassing exploit
for the Aurora bug for one. What they said in public made it sound like
the exploit just plain runs on platforms where it had been blocked by
DEP, but I suspected a problem from the beginning: DEP bypass schemes
generally rely on techniques that are defeated by ASLR, and IE runs with
ASLR by default on Vista and Win7. Sure enough, Microsoft's response to
these claims (and I believe them) is that ASLR greatly limits the
utility of the DEP bypass:
http://blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being-byp
assed.aspx. On Vista and Win7
<http://blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being-by
passed.aspx.%20On%20Vista%20and%20Win7>  the odds that it will execute
are too remote to bother with. Even on XP, it only works 1 in 3 chances.

 

Contrast that with Tavis Ormandy's disclosure yesterday of the VDM
privilege elevation hack. He explained in full how it worked *and* a)
that it doesn't work on 64-bit kernels and b) gave instructions on how
to disable the 16-bit subsystems as a workaround. What a gentleman. It
sounds like he really just wants to help.

 

Security firms never tell you that you need to run as administrator to
be vulnerable to something or that it won't execute reliably or that you
had to choose to run it manually. They just want you to be afraid.

 

Larry Seltzer
Contributing Editor, PC Magazine

larry_seltzer () ziffdavis com 

http://blogs.pcmag.com/securitywatch/
<http://blogs.pcmag.com/securitywatch/> 

 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: