Penetration Testing mailing list archives
Re: Scanners and unpublished vulnerabilities - Full Disclosure
From: "Jon Bull" <jon.bull () knowledgelinks com>
Date: Wed, 29 May 2002 19:07:18 -0700
Hello, First time posting to the list, be gentle. I wish to make three points, one suggestion, and small side note: 1) Unless the consultants liscence is very carefully distributed, unethical people will purchase Typhoon II can be furnished with near-zero-day exploits. These are exploits that the public will be unable to guard against until a patch is released. I believe that eventually Typhoon II will be used by unethical people to this end, and that it is impossible to guard against this eventuality as long as the consultants liscense exists. (This point may be invalid if the consultant must go through NGSS who would verify permission with the site to be tested. I doubt this is the case, but it would speak well of NGSS if this is the manner in which the consultants lisence is handled.) 2) Once an exploit is added to the list of checks on Typhoon II and an administrator or consultant determines his system to be vulnerable, he must still wait for a patch. 3) The recent JRun advisory, I feel, gives up too much information. I'm sure as I type this someone is working to figure the length of the host header field needed to achieve the overflow. Suggestion - Instead of making a scanner to test for a vulnerability that a Typhoon user may not be able to prevent, why not create IDS software to detect the exploit? To me this seems a more defensive, responsible, and effective role. Side Note/Opinion - I would suggest anyone afflicted by this who will be charged for the upgrade heckle their sales rep. Security updates for a product should not come at a price, or do you pay extra for a Quality Assured version? Thanks for your time and attention, Jon ----- Original Message ----- From: "David Litchfield" <david () ngssoftware com> To: "batz" <batsy () vapour net>; "Alfred Huger" <ah () securityfocus com> Cc: <pen-test () securityfocus com> Sent: Wednesday, May 29, 2002 11:25 AM Subject: Re: Scanners and unpublished vulnerabilities - Full Disclosure
The statement could have been written more clearly. Comma's help to delineate dependencies in a statement. Here's what I got out of it: - NGSSoftware does vulnerability research. - Vendors have been slow to patch vulnerabilities. - To make patch process more prompt, vendors will be given 1 week heads
up
when vulnerabilities are discovered. - After 1 week, the public will be alerted by NGSS. - NGSS will provide a workaround to the public, unless that workaround will provide exploitation details. - NGSS will add a check for the vulnerability to vuln assessment
software,
regardless of whether the check would disclose exploitation details. - This process is consistent with ietf Christey-Wysopal draft. - This process will make the patch process more visible by providing a way for the public to see how long it took to write the patch.A fairly good summation, however....This process will keep some exploitation details away from the public,
and
particularly, a minority of malicious members of the public. Though obvious, it is worth noting that this process will only keep exploitation details of vulnerabilities disovered by NGSS from the
public,
and the underground will continue to write exploits for privatedistributionuntil they are old enough to be hired as consultants.This comment (and some which follow) indicate you've missed on of the key points. When the vendor does release a patch NGSSoftware will follow up
with
full details as normal. The VNA is not intended to replace our normally
full
advisory - it simply exists as an interim solution to 'help' ensure
vendors
release patches in a timely fsahion.Alfreds comments about how this will affect the pen-testing professionseemto be based on the possibility that, advisories published by NGSS willcausecustomers to want to be sure their pen-testers are checking for these vulnerabilities. Without detailed information about these
vulnerabilities,
pen-testers may not be able to check for them, which could lead toincompleteassessments, and potentially, an further erosion of the credibility of
the
profession.Again this is counteracted by the follow up advisory - see above. The pentest community will still get the full information so they can provide their customers with details of these vulnerabilities. It is not and never has been the intent of NGSSoftware or the guys that make up the company to 'horde' our research and keep it to ourselves.NGSS's process is a way to make vulnerability R&D finally pay for
itself,
because they know that being simply being elite doesn't mean much to the managers and CFO's making purchasing decisions. The only value add that there is in a competetive market like security software/services is proprietary technology, and a means to protect that advantage.
Spending
their expensive R&D resources to get props on bugtraq or at blackhat
won't
keep them fed, despite the community value of doing so.By putting these checks in Typhon, which we've always done, we buy a week
or
two advantage over something like Nessus. Hope this clears things up. Thanks, David Litchfield http://www.ngssoftware.com/ --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: Scanners and unpublished vulnerabilities - Full Disclosure, (continued)
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Deus, Attonbitus (May 28)
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Marc Maiffret (May 28)
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Ryan Russell (May 29)
- Message not available
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Deus, Attonbitus (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Brad Mills (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure David Litchfield (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure batz (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Jon Bull (May 30)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure David Litchfield (May 30)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure hellNbak (May 30)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure J Jacoby (May 31)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Patrik Birgersson (May 29)