Re: [Full-Disclosure] Anti-MS drivel

From: Michal Zalewski (
Date: 01/20/04

  • Next message: S G Masood: "Re: [Full-Disclosure] local SYSTEM on Windows vs. local root on Unix"
    To: yossarian <>
    Date: Tue, 20 Jan 2004 22:02:43 +0100 (CET)

    On Sun, 18 Jan 2004, yossarian wrote:

    > I checked the flaws reported the last week - and yes I read many many lists,
    > some 250 mails per day - and the only thing getting close to software used
    > in bigger environments is this BEA thingie 5 days ago /.../

    Yup, security research focuses on home computing, but this does not mean
    the quality of enterprise software is any better; quite the opposite. I
    had a chance to audit a bunch of big enterprise applications in several
    places I've worked in, and it is very uncommon to find a solution that
    will not fall apart if you mess with its proprietary protocols and
    interfaces - often exposing gross trust model design problems.

    These applications usually undergo much more rigorous QA, and this
    elliminates most of basic reliability issues that occur in reasonably
    "normal" working conditions - but the most common type of QA does almost
    nothing to find problems that will surface only when the application poked
    with a stick by a sufficiently skilled attacker. Old school development
    and quality assurance practices, and developers with mindsets locked on
    the network security it used to be in late '80s or so, are far more
    prevalent in these environments. And it really really shows.

    The relatively low number of vulnerabilities found in those products can
    be contributed to a couple of basic factors:

    1) Average Joe Hacker does not have access to prohibitively expensive
       or highly specialized systems used in high-profile corporations.
       He does have his Windows and Linux partition, though, maybe even
       a Solaris box somewhere, and can sometimes get ahold of Oracle.
       Enterprise applications for VMS or OS/400, doubtly so. This holds true
       both for amateur researchers, and for many "vulnerability research"
       shops, too - they simply do not have the budget (or incentive) to
       do it.

    2) Joseph Hacker who happens to be working in a corporation that has such
       a platform is usually limited in how far he can experiment with it
       while playing it safe, especially if it is a production system "ever
       since", and creating a dedicated testbed with appropriate data feeds
       would be overly complex or time-consuming.

    3) Even if Joseph finds a flaw, he is expected to work with the vendor
       to protect his company's assets, instead of disclosing a problem
       (otherwise, a swift retaliation from both the vendor and his
       now ex-employer would ensue). He does not have the freedom
       Joe enjoys.

       Moreover, sometimes vendors are extremely non-cooperative, and there
       is simply no other choice for this platform that could be used
       as a replacement without major transition expenses and problems.

    4) The public interest in this type of vulnerabilities is marginal.
       Although some solutions may be popular in corporations, the systems
       usually do not face the Internet, and are seldom mentioned in the
       media. As such, there is very little incentive to disclose this
       type of stuff, as only a couple of folks are going to realize
       what you are talking about to start with.

    Just my $.02.

    ------------------------- bash$ :(){ :|:&};: --
     Michal Zalewski * []
        Did you know that clones never use mirrors?
    --------------------------- 2004-01-20 21:31 --
    Full-Disclosure - We believe in it.

  • Next message: S G Masood: "Re: [Full-Disclosure] local SYSTEM on Windows vs. local root on Unix"