Jason Miller, 2006-03-07
There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
Colapse all |
Post comment
The value of vulnerabilities
2006-03-07
Anonymous (4 replies)
Anonymous (4 replies)
Re: The value of vulnerabilities
2006-03-08
infamous41md
infamous41md
Regarding the "public good", vendors have - at least - the role of:
a) not downplaying the significance of flaws
b) disclosing flaws to a public forum and making their users aware of them
c) working with researchers to fix the flaws since many vendor attempts at fixes seem rather inept
From ...
[ more ] [ reply ]
a) not downplaying the significance of flaws
b) disclosing flaws to a public forum and making their users aware of them
c) working with researchers to fix the flaws since many vendor attempts at fixes seem rather inept
From ...
[ more ] [ reply ]
Another viewpoint - The value of vulnerabilities
2006-03-08
Robert E. Lee
Robert E. Lee
> And, to clarify, I'm not saying that posting an exploit to Bugtraq before even contacting a vendor (or perhaps, just a few hours after contacting them) is responsible. It's not.
End users of publicly available applications are telling us that they want to be notified at the same time as vendor...
[ more ] [ reply ]
End users of publicly available applications are telling us that they want to be notified at the same time as vendor...
[ more ] [ reply ]
The value of vulnerabilities
2006-03-08
Matthew Murphy (1 replies)
Matthew Murphy (1 replies)
All I can say is: Amen.
It's not often that I read writing that hits a nail so squarely on the head.
Vendors need to start taking some responsibility for ridiculous disclosure timelines. Two come to mind as the chief offenders in this respect: Microsoft and Oracle.
I've created a page on m...
[ more ] [ reply ]
It's not often that I read writing that hits a nail so squarely on the head.
Vendors need to start taking some responsibility for ridiculous disclosure timelines. Two come to mind as the chief offenders in this respect: Microsoft and Oracle.
I've created a page on m...
[ more ] [ reply ]
The value of vulnerabilities
2006-03-08
Anonymous (1 replies)
Anonymous (1 replies)
Time = money
Finding exploits = time = money
For commercial applications there is no free lunch. I still have to see some commercial application developer come and give me a free unlimited copy of his product. So please give me a valid reason to pass free information to someone who will profit...
[ more ] [ reply ]
Finding exploits = time = money
For commercial applications there is no free lunch. I still have to see some commercial application developer come and give me a free unlimited copy of his product. So please give me a valid reason to pass free information to someone who will profit...
[ more ] [ reply ]
Re: The value of vulnerabilities
2006-03-13
hi2005
hi2005
if the vendor would not like to pay for the vul you find, then you decide to disclose it to the highest bidder. and then someone exploit this vul to make money. then the customers were hurt and blame the vendor. and at last the vendor has to pay for such vul when found. that's a sound feed-back syst...
[ more ] [ reply ]
[ more ] [ reply ]
The value of vulnerabilities
2006-03-08
Omar A. Herrera (2 replies)
Omar A. Herrera (2 replies)
I think it will also depend on the bad guys. There are known cases of people selling malware to anybody. That includes criminals of course and we might not be that far from seeing criminal organizations offering a higher price for unpublished vulnerabilities and exploits.
Which way will reasearc...
[ more ] [ reply ]
Which way will reasearc...
[ more ] [ reply ]
Re:Good Points
2006-03-08
R_U_Trustified (2 replies)
R_U_Trustified (2 replies)
Wouldn't it be better to have a technology that prevented vulnerabilities from being acted on, effectively reducing the risk model to zero? This is possible in a trusted operating system, where any application can be caged, escalation of privileges is impossible and malware can not execute, even if ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re:Good Points
2006-03-09
Matthew Murphy (1 replies)
Matthew Murphy (1 replies)
Sure it would. A trusted operating system would, in fact, eliminate vulnerability. Now show me such an operating system.
...Didn't think so.
Fact is, OSes are inherently vulnerable to attack because they have the nearly-impossible task of protecting the system from itself, from attackers and...
[ more ] [ reply ]
...Didn't think so.
Fact is, OSes are inherently vulnerable to attack because they have the nearly-impossible task of protecting the system from itself, from attackers and...
[ more ] [ reply ]
Re: Re: Re:Good Points
2006-03-14
Robert E. Lee (1 replies)
Robert E. Lee (1 replies)
> A "trusted" operating system in the absolute sense is a theoretical concept. It simply does not exist.
They do exist with varried degrees of assurance that they provide the security mechanisms called for in their design and deployment.
Read the following links for more information:
http://w...
[ more ] [ reply ]
They do exist with varried degrees of assurance that they provide the security mechanisms called for in their design and deployment.
Read the following links for more information:
http://w...
[ more ] [ reply ]
Re: Re: Re: Re:Good Points
2006-03-15
Matthew Murphy (1 replies)
Matthew Murphy (1 replies)
The fact that some systems have been CC-evaluated doesn't make your point. It's still just theory.
The security "mechanisms" may be there, but nearly all of these mechanisms in an OS that has any general-purpose use will have holes and therefore vulnerabilities still exist.
"Trusted design" d...
[ more ] [ reply ]
The security "mechanisms" may be there, but nearly all of these mechanisms in an OS that has any general-purpose use will have holes and therefore vulnerabilities still exist.
"Trusted design" d...
[ more ] [ reply ]
The value of vulnerabilities
2006-03-10
Max (1 replies)
Max (1 replies)
Well I think both the vendor and the researcher are partly at fault. In a circumstance, this happens alot it seems, where the vendor is contacted by the researcher about a new vulnerability and exploit, and the vendor does nothing at all...the researchers best next move is to make the vulnerability...
[ more ] [ reply ]
[ more ] [ reply ]
Re: The value of vulnerabilities
2006-03-14
Robert E. Lee
Robert E. Lee
> basically what i'm saying is, add a couple extra steps to notify the users and the public about the problem before you publish code and allow users that have no idea there is a vulnerability, to get owned.
Without the exploit the end-user can not test their systems for susceptibility to the vul...
[ more ] [ reply ]
Without the exploit the end-user can not test their systems for susceptibility to the vul...
[ more ] [ reply ]
Responsible disclosure
2006-03-13
Anonymous (1 replies)
Anonymous (1 replies)
"Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public."
I almost agree with this, but I wish Jason had said that most people also haven't a clue what to do about vulnerabilities.
I'd submit that to be truly a responsible disclosure, no vulnerability shou...
[ more ] [ reply ]
I almost agree with this, but I wish Jason had said that most people also haven't a clue what to do about vulnerabilities.
I'd submit that to be truly a responsible disclosure, no vulnerability shou...
[ more ] [ reply ]
Re: Responsible disclosure
2006-03-14
Robert E. Lee
Robert E. Lee
> I'd submit that to be truly a responsible disclosure, no vulnerability should be released to the entire public without a workaround included.
Sometimes the only workaround is to disable public access to the service or software that is vulnerable. According to our customers of third-party produ...
[ more ] [ reply ]
Sometimes the only workaround is to disable public access to the service or software that is vulnerable. According to our customers of third-party produ...
[ more ] [ reply ]
The value of vulnerabilities
2006-03-16
C. Winchester
C. Winchester
That is one of the most well-balanced articles on vulnerabilities that I have read in a long time. It is a balancing act but vendors are the source / cause of the vulnerabilities. While totally irresponsible disclosure practices on the part of the security "researcher" are worthy of bad press, vendo...
[ more ] [ reply ]
[ more ] [ reply ]
What Value?
2006-03-17
Anonymous (2 replies)
Anonymous (2 replies)
The question that no one is really asking is: What value do companies get from buying vulns? Why does iDefense or 3Com or Immunitysec pay for 0day vulns? And why now?
With remote vulns that are truely exploitable becoming fewer, these companies that relied on vulns to fuel their businuess model ...
[ more ] [ reply ]
With remote vulns that are truely exploitable becoming fewer, these companies that relied on vulns to fuel their businuess model ...
[ more ] [ reply ]
Re: What Value?
2006-03-20
infamous41md
infamous41md
If you can place an arbitrary value at an arbitrary address, that IS remote code execution.
Why are they paying for vulns? Because security is "cool" now. Also, for certain companies, it makes sense for them to pay idefense for their services. Example, Adobe. If researchers know that idefen...
[ more ] [ reply ]
Why are they paying for vulns? Because security is "cool" now. Also, for certain companies, it makes sense for them to pay idefense for their services. Example, Adobe. If researchers know that idefen...
[ more ] [ reply ]
[ more ] [ reply ]