Re: Which Router for VPN and Webhosting

From: Eirik Seim (eirik_at_mi.uib.no)
Date: 09/20/03


Date: 20 Sep 2003 20:36:24 GMT

On Sat, 20 Sep 2003 16:31:30 GMT, David wrote:
> It's hard to say. In either case it is simply a matter of whether the black
> hats find the vulnerabilities before the white hats do. Even with MS's piss
> poor reputation in regards to dealing with reported vulnerabilities, they do
> seem to get most of their holes patched before the exploits hit the net.

In most cases yes. I don't think they ever patched that IGMP problem
with Windows 98SE (and earlier). The problem is rather the amount of
patches. Once there is a patch that is a bit harder than usual to
install (like the MS-SQL hole exploited by the Slammer worm), it is
skipped and forgotten until networks start to go down.

> There are several security outfits looking for windows vulnerabilities right
> now because there is money to made in doing so.

Which is great! :)

> On the other hand I have seen a lot of open source vulnerabilities that are
> being discovered after the exploits show up. OpenSSH for example just fixed
> two holes one right after the other which it looks like were only discovered
> after several systems had reportedly been hacked. And this is not an obscure
> open source project.

There will always be bugs in complex software. Most of them are found
and fixed before an exploit is out, but yes I see your point. The sword
cuts both ways.

> There is a lot of open source stuff out there that is not getting audited.
> And there is a bunch of PHP and perl stuff for websites which is full of
> exploitable code. Take a look at many of the open source web application
> projects and you will probably find exploitable scripts and or SQL injection
> vulnerabilities.

Poorly written web applications will become even more of a problem in
the future. There is an infinite amount of bad programmers out there
who took a one-year "web programming" course[1], and keep making the
same mistakes instead of reusing mature code, and follow the recommended
guides for things like input checking[2].

- Eirik

1. And others, of course. A CS degree don't have to help, either.
2. The last case I reported was actually at my local MENSA website,
    which was kind of amusing in a way..

-- 
New and exciting signature!


Relevant Pages

  • Re: Which Router for VPN and Webhosting
    ... > hats find the vulnerabilities before the white hats do. ... > seem to get most of their holes patched before the exploits hit the net. ... patches. ... who took a one-year "web programming" course, ...
    (comp.security.firewalls)
  • Re: [inbox] Re: [Full-Disclosure] 3 new MS patches next week... but none fix
    ... > regular patches for holes that are found are we not? ... we would have yearly patches or none at all. ... We need a better way to patch systems, ... All patches regression tested against all previous vulnerabilities. ...
    (Full-Disclosure)
  • Re: Is Windows 98 SE More Secure Than OS X?
    ... Apple then patches what is exploited. ... I'll do you one better I'll actually show you the particular security holes that are marked "Extreme Criticality" by Secunia. ... BING BING BING There goes my COQA detector again. ... Shit this OS X with all those "highly critical" vulnerablities in just one patch seems to speak of a very unsecure OS according to Mac people who parrot every exploit found in Windows even if it was NEVER exploited. ...
    (comp.sys.mac.advocacy)
  • Re: Is Windows 98 SE More Secure Than OS X?
    ... Apple then patches what is ... point out a vulnerability in a specific software. ... security holes that are marked "Extreme Criticality" by Secunia. ... in Windows even if it was NEVER exploited. ...
    (comp.sys.mac.advocacy)
  • [Full-Disclosure] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Soluti
    ... And again each and every one of the method caching vulnerabilities liu and ... individuals, there I many many reasons why I dislike pivx, but I don't think ... registry patches nothing more, nothing less.. ... But ask yourself how seriously can you take a company that names 5 registry ...
    (Full-Disclosure)