Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: When do exploits get used?
From: Jay Beale <jay () bastille-linux org>
Date: Mon, 22 Mar 2004 17:13:17 -0500

Luke Scharf wrote:

On Mon, 2004-03-22 at 14:46, Paul Schmehl wrote:
To think otherwise is foolish, as I said. If one isn't paranoid, one probably doesn't belong in the security field. If you're sitting back thinking you're safe because you're patched and you patch quickly, then you're unalert and exposed.

Patching, passwords, and basic-permissions *are*, however, the 10% of
the work that gets 90% of the benefit.  All the stuff that we get
excited about here is just icing on the cake.
I think you're going to quickly change your mind as soon as the first 0-day worm comes out. All the patching in the world doesn't save us if the attackers ever get a widely-used exploit against a non-public vulnerability. At that point, internal firewalling and system hardening, to say the least, take center stage. (Of course, you could add to these, or potentially replace these with, some particular host-based intrusion prevention/kernel modification solutions, but I'll leave that one alone for now.)

The day of the 0-day worm is coming, or at least the close-enough-to-0-day worm, that organizations that do patch often will still get badly compromised. This basically comes down to a question of windows of vulnerability. Your window of vulnerability to a given exploit comes down to the sum of three time windows:

1) The time that an exploit exists before the vendor has learned of the vuln and begun preparing the patch. ( 0 days to N years) 2) The time that the vendor spends researching, preparing and testing a patch. ( 1 day to 9 months, probably about 2 days or more.)
3) The time in which a patch is available and you haven't yet deployed it.

First, remember that you have no control over time window 1 and little over time window 2. Time window 3 for the most attentive organizations seems to be around 1 day on non-critical systems and 3 days on critical systems. The averages are probably around 1 month for both types of systems.

If you're in this best set of organizations, potentially spending major manpower on vetting and installing patches, you've still got a decent window of vulnerability. It's at least an hour/day (from #3) along with a few days or more from #1 and #2.

Patching isn't really 90%. It seems like that because organizations still aren't keeping up with patches and thus don't know what would have happened if they had. It seems like that because we're not getting caught in the first two parts of our windows of vulnerability that often just yet. If a worm comes out in time window 1 or 2, your 1-hour patch turnaround won't save you.

You may find this discussion academic. But the exploit writers and the worm writers are getting faster. And that's what should scare us into moving beyond patches. That's what should get us moving to better network and host configurations. That's what should get us to evaluate patching as, at most, the easy, but most critical, 50%.

Of course, I could be wrong.

- Jay


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]