|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] RE: Microsoft silently fixes security vulnerabilities
From: Chris Anley (chris
ngssoftware.com)
Date: Sun Apr 23 2006 - 04:38:52 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
H D Moore wrote:
> Silent patching helps attackers by preventing the NIPS/HIPS/VA
> companies from being able to protect their customers. In previous
> pen-test engagements, I preferred to use an unknown, but patched flaw
> over a widely-reported one every time. The admin doesn't know about
> it, the vendor has a patch for it, and I don't have to worry about
> anyone having a signature for it.
Definitely. There's a further problem though - sometimes a fix is only
silent because the vendor doesn't know they've fixed something.
As someone fixing an overflow (say), if I apply a 'gating' validation to
some input string near the point that string is received and reject
input greater than some presumably safe length, I have not only fixed
the reported bug but also probably a number of related bugs in other
code further down the call tree that I'm unaware of, maybe because
someone else in my company wrote it, or because it's in third-party
code, or even in a third party binary.
The problem is that neither I (the developer following best practice)
nor the vulnerability researcher, nor anyone writing NIPS/HIPS knows
what bugs were actually fixed by my input validation.
Now, I'm not saying that specific silent fixes don't happen - obviously
they do - I'm just saying that even if that practice is stamped out by a
public outcry, litigation, legislation etc, there'll still be an
intractable problem to solve.
-chris.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]