Re: [Full-Disclosure] Anti-MS drivel

From: Michal Zalewski (
Date: 01/20/04

  • Next message: S G Masood: "Re: [Full-Disclosure] local SYSTEM on Windows vs. local root on Unix"
    To: yossarian <>
    Date: Tue, 20 Jan 2004 22:02:43 +0100 (CET)

    On Sun, 18 Jan 2004, yossarian wrote:

    > I checked the flaws reported the last week - and yes I read many many lists,
    > some 250 mails per day - and the only thing getting close to software used
    > in bigger environments is this BEA thingie 5 days ago /.../

    Yup, security research focuses on home computing, but this does not mean
    the quality of enterprise software is any better; quite the opposite. I
    had a chance to audit a bunch of big enterprise applications in several
    places I've worked in, and it is very uncommon to find a solution that
    will not fall apart if you mess with its proprietary protocols and
    interfaces - often exposing gross trust model design problems.

    These applications usually undergo much more rigorous QA, and this
    elliminates most of basic reliability issues that occur in reasonably
    "normal" working conditions - but the most common type of QA does almost
    nothing to find problems that will surface only when the application poked
    with a stick by a sufficiently skilled attacker. Old school development
    and quality assurance practices, and developers with mindsets locked on
    the network security it used to be in late '80s or so, are far more
    prevalent in these environments. And it really really shows.

    The relatively low number of vulnerabilities found in those products can
    be contributed to a couple of basic factors:

    1) Average Joe Hacker does not have access to prohibitively expensive
       or highly specialized systems used in high-profile corporations.
       He does have his Windows and Linux partition, though, maybe even
       a Solaris box somewhere, and can sometimes get ahold of Oracle.
       Enterprise applications for VMS or OS/400, doubtly so. This holds true
       both for amateur researchers, and for many "vulnerability research"
       shops, too - they simply do not have the budget (or incentive) to
       do it.

    2) Joseph Hacker who happens to be working in a corporation that has such
       a platform is usually limited in how far he can experiment with it
       while playing it safe, especially if it is a production system "ever
       since", and creating a dedicated testbed with appropriate data feeds
       would be overly complex or time-consuming.

    3) Even if Joseph finds a flaw, he is expected to work with the vendor
       to protect his company's assets, instead of disclosing a problem
       (otherwise, a swift retaliation from both the vendor and his
       now ex-employer would ensue). He does not have the freedom
       Joe enjoys.

       Moreover, sometimes vendors are extremely non-cooperative, and there
       is simply no other choice for this platform that could be used
       as a replacement without major transition expenses and problems.

    4) The public interest in this type of vulnerabilities is marginal.
       Although some solutions may be popular in corporations, the systems
       usually do not face the Internet, and are seldom mentioned in the
       media. As such, there is very little incentive to disclose this
       type of stuff, as only a couple of folks are going to realize
       what you are talking about to start with.

    Just my $.02.

    ------------------------- bash$ :(){ :|:&};: --
     Michal Zalewski * []
        Did you know that clones never use mirrors?
    --------------------------- 2004-01-20 21:31 --
    Full-Disclosure - We believe in it.

  • Next message: S G Masood: "Re: [Full-Disclosure] local SYSTEM on Windows vs. local root on Unix"

    Relevant Pages

    • Re: Reagan was wrong: free enterprise is the problem
      ... month to know that private enterprise needs serous reforms and regulation.. ... corporate headquarters and jobs than updating their American facilities. ... American corporations are far behind their European counterparts who ...
    • Re: $50,000,000,000 more
      ... apparently neither are the corporations that are, ... Enterprise is what made this nation great. ... Yet, we suffer if they fail, or pay the cost of ... They are sort of freeloading when they fail to pay the costs of ...
    • Re: Future direction of Solaris?
      ... But none of those projects you mentioned are enterprise quality ... and BSD (open source OSes). ... That disqualifies Linux and BSD OS which as far as I ...
    • Re: NBC: Mick Jagger vs. George Bush
      ... me and all the other U.S. taxpayers. ... teams, religions, corporations. ... the enterprise, no matter what, and protect miscreants in their midst. ...
    • Re: nbc- Can you say 4 bucks a gallon ?
      ... And my money is on 9/11 never happening under Gore. ... teams, religions, corporations. ... the enterprise, no matter what, and protect miscreants in their midst. ...