|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] RE: Microsoft silently fixes security vulnerabilities
From: H D Moore (hdm-daily-dave
digitaloffense.net)
Date: Thu Apr 20 2006 - 09:21:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wednesday 19 April 2006 07:42, Ari Takanen wrote:
> So Steve I agree most vendors would prefer fixing the security
> problems quietly like any other quality problems, and in my opinion
> this is a perfect method of handling vulnerabilities.
That doesn't work. The fact that vendors are doing this is one of the
contributing factors for many of the flaws I find. Without detailed
information about what bugs have been fixed, I have to spend even more
time trying to figure out what bug relates to the patch. I end up finding
all the bugs I wasn't looking for. Below are some example Metasploit
modules of "finding the wrong bug" after a public disclosure:
ie_iscomponentinstalled - Silently patched in XP SP0/2000 SP4
hpux_lpd_exec - Silently patched sometime between 1999 and 2001
rsa_iiswebagent_redirect - Found while looking for the heap overflow
solaris_lpd_unlink - Found when working on the command execution bug
arkeia_agent_access - Found when working on the 'Type 77' overflow
Another example of someone uncovering a "better bug" is Solar Eclipse's
exploit for MS04-007:
http://www.phreedom.org/solar/exploits/msasn1-bitstring/
I still have a handful of bugs sitting around for Timbuktu - the company
that released the last advisory wouldn't provide details, so I spent four
hours looking for it, and keep finding new ones. I contacted the company
and offered to give them the new bugs for information on the old one - I
was trying to write a vulnerability check and this was taking too long as
is. The company refused, citing their disclosure policy, and I still
haven't got around to writing the advisories.
Silent patching helps attackers by preventing the NIPS/HIPS/VA companies
from being able to protect their customers. In previous pen-test
engagements, I preferred to use an unknown, but patched flaw over a
widely-reported one every time. The admin doesn't know about it, the
vendor has a patch for it, and I don't have to worry about anyone having
a signature for it.
-HD
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]