Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Date: Fri Feb 18 2011 - 12:33:32 CST
On Fri, 18 Feb 2011 10:07:26 EST, Charles Morris said:
> It is my personal belief that all vulnerabilities should be patched
> regardless of existence of a known attack vector or exploit.
Let me fix that for you:
All vulnerabilities should be evaluated as to whether patching them
makes sense. If it's a one-liner fix for a stupid logic error, yes
it probably should be patched whether or not there's a known exploit.
The problem starts when you hit something that's a deeply seated design
issue in a published API - then you need to balance the costs of possible
exploits against the equally real costs of fixing the problem (which may
end up requiring a possibly large number of third parties to fix their
usage of the API). The Windows "shatter attack" is a good example:
Why was that such a pain to fix over multiple years? Because you couldn't
fix it without breaking legitimate users of the interface. And here it is
almost a decade later, and I'm not 100% convinced it's totally fixed yet.
That one was pretty obviously an issue where a paper was out showing how to
exploit it, in a very highly visible and widely distributed piece of software.
But there's plenty of packages that have only thousands or even mere hundreds
of users (especially off on the long-tail end of open-source). If one of those
projects is discovered to have a major hole, but it's a package that's usually
used on a laptop and you need to run code on the target machine, how important
is it *really* to be patched? If the attacker is already running code on your
laptop as another user, the additional privilege escalation to your userid may
not matter that much anymore...
So yes, evaluation is needed. But patching it may not make any realistic
sense, depending on the nature of the issue and who is potentially affected.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/