Re: [Full-Disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011
From: Geoincidents (geoincidents_at_getinfo.org)
To: <firstname.lastname@example.org> Date: Thu, 15 Apr 2004 07:50:15 -0400
> I can see that you don't know anything about finding vulnerabilities or
> writing exploits. What you just said is "Hey d3wd, there's like a
> vulnerability in windows man, and h3h see if you can find it d00d!".
Isn't that exactly the assumption that eeye proceeds under?
The original statement to which I responded suggested "what if someone
exploited ASN.1 before microsoft had a patch ready". I then suggested that
there are damn few people capable of finding and exploiting such without
help from folks like the guys at eeye (that was not meant as a cut to
Immunity, Inc. nor was I talking specifically about ASN.1). So I feel it's
perfectly proper to point out that the eeye URL is a list of exploitable
code that vendors have not patched yet and which eeye has not posted details
(ie no help from eeye), it was actually a much more impressive list a month
Where are the exploits for these from the worm/virus writers, if they and
the other exploit coders were so skilled Microsoft wouldn't be taking 4 - 6
months to patch this stuff. (I don't know Dave so this really isn't a
reflection on his personal skill set, and I'm sure he's a responsible
discloser so MS doesn't see him as a threat) If hackers could read the eeye
list then find and exploit those flaws without further help from eeye then
Microsoft would be forced to deal with these issues much faster. How long
was this last batch of exploits posted on the eeye site before they were
patched the other day?
The fact that isn't happening even though eeye has posted their list should
be sufficient proof that the skill set required is beyond most. Perhaps Dave
is capable but doesn't feel it's worth the effort until the details are
released, I could believe that, but the fact that none of the worm writers
are doing it when clearly it's worth far more to them prior to a patch
release is very telling.
To put it another way, imagine the woody a worm writer would get from
creating a worm based on a universal windows exploit like lsass or asn.1
where the worm grabbed the windows CD key like keyfinder does
http://www.magicaljellybean.com/keyfinder.shtml then included the CD keys
from the last 100 machines it infected in an email sent to everyone in the
address book. Clearly the motivation is there, the flaws are there, it's the
skill set that is missing.
Full-Disclosure - We believe in it.