[PLUG] Joe Jobbed - security considerations
Ronald Chmara
ron at Opus1.COM
Wed Oct 10 04:57:42 UTC 2007
On Oct 9, 2007, at 9:28 AM, Rich Shepard wrote:
> On Tue, 9 Oct 2007, alan wrote:
>> Are you sure they are not being exploited?
> Not at all. The information sent with the upgrades almost always
> report
> that there are no known exploitations of the identified
> vulnerability, but
> that leaves the whole world of unknown exploitations. Or, in
> Rummy's words,
> the "unknown unknowns."
So, hokay. A bit about frsirt, and my experience in the field....
I had this hardcore gig for about a year, where I was part of a 24/7
team that did nothing but monitor the existing known set of exploits,
write patten matching code (think of something like snort on
steroids, with end-user clients that could nuke other people (not a
rhetorical device)), and build detection rules for the exploits. One
of our best research tools was frsirt, because quite a few (half to
80%) of their warnings, for a long time, came with PoC (Proof of
Concept) code to run, which made our lives easier.
Frsirt had to *stop* releasing the PoC examples, because well,
somewhere along the line, quite a few people decided it was dangerous
for software exploits to be "known".
Read that last sentence again.
Then ask yourself about what it means when a vendor is saying their
are no "known" (aka published) exploits.
With that being said, I can say that there is a daily firehose of new
alerts, and CERT/CVE is waaay behind the ball on this one. Check out:
<http://www.frsirt.com/english/>
..and when you look at the current list, think to yourself that at
*least* half of those have known (but now not widely published)
exploits... and the remainder, well, our team usually could build an
exploit (and a test for an attack, which was the product being sold)
for 20-30% of them within hours, another 10% within days.
Anecdotally, I'd say up to 90% of publicly released vulns *do* have
exploits.... just not published ones. I know, because I spent a lot
of time writing the exploits, testing them, and detecting their
variations, while writing both exploit and detection code.
-Bop
More information about the PLUG
mailing list