Re: [Full-Disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011

From: Geoincidents (geoincidents_at_getinfo.org)
Date: 04/15/04

  • Next message: Dave Aitel: "Re: [Full-Disclosure] RE: Risk between discovery and patch"
    To: <full-disclosure@lists.netsys.com>
    Date: Thu, 15 Apr 2004 07:50:15 -0400
    
    

    > I can see that you don't know anything about finding vulnerabilities or
    > writing exploits. What you just said is "Hey d3wd, there's like a
    > vulnerability in windows man, and h3h see if you can find it d00d!".

    Isn't that exactly the assumption that eeye proceeds under?

    The original statement to which I responded suggested "what if someone
    exploited ASN.1 before microsoft had a patch ready". I then suggested that
    there are damn few people capable of finding and exploiting such without
    help from folks like the guys at eeye (that was not meant as a cut to
    Immunity, Inc. nor was I talking specifically about ASN.1). So I feel it's
    perfectly proper to point out that the eeye URL is a list of exploitable
    code that vendors have not patched yet and which eeye has not posted details
    (ie no help from eeye), it was actually a much more impressive list a month
    ago.

    Where are the exploits for these from the worm/virus writers, if they and
    the other exploit coders were so skilled Microsoft wouldn't be taking 4 - 6
    months to patch this stuff. (I don't know Dave so this really isn't a
    reflection on his personal skill set, and I'm sure he's a responsible
    discloser so MS doesn't see him as a threat) If hackers could read the eeye
    list then find and exploit those flaws without further help from eeye then
    Microsoft would be forced to deal with these issues much faster. How long
    was this last batch of exploits posted on the eeye site before they were
    patched the other day?

    The fact that isn't happening even though eeye has posted their list should
    be sufficient proof that the skill set required is beyond most. Perhaps Dave
    is capable but doesn't feel it's worth the effort until the details are
    released, I could believe that, but the fact that none of the worm writers
    are doing it when clearly it's worth far more to them prior to a patch
    release is very telling.

    To put it another way, imagine the woody a worm writer would get from
    creating a worm based on a universal windows exploit like lsass or asn.1
    where the worm grabbed the windows CD key like keyfinder does
    http://www.magicaljellybean.com/keyfinder.shtml then included the CD keys
    from the last 100 machines it infected in an email sent to everyone in the
    address book. Clearly the motivation is there, the flaws are there, it's the
    skill set that is missing.

    Geo.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Dave Aitel: "Re: [Full-Disclosure] RE: Risk between discovery and patch"