Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: When do exploits get used?
From: Dave Aitel <dave () immunitysec com>
Date: Mon, 22 Mar 2004 18:30:19 -0500

Hash: SHA1

Jay Beale wrote:

| Luke Scharf wrote:
|> On Mon, 2004-03-22 at 14:46, Paul Schmehl wrote:
|>> To think otherwise is foolish, as I said.  If one isn't
|>> paranoid, one probably doesn't belong in the security field.
|>> If you're sitting back thinking you're safe because you're
|>> patched and you patch quickly, then you're unalert and exposed.
|> Patching, passwords, and basic-permissions *are*, however, the
|> 10% of the work that gets 90% of the benefit.  All the stuff that
|> we get excited about here is just icing on the cake.
| I think you're going to quickly change your mind as soon as the
| first 0-day worm comes out.  All the patching in the world doesn't
| save us if the attackers ever get a widely-used exploit against a
| non-public vulnerability.  At that point, internal firewalling and
| system hardening, to say the least, take center stage.  (Of course,
|  you could add to these, or potentially replace these with, some
| particular host-based intrusion prevention/kernel modification
| solutions, but I'll leave that one alone for now.)
| The day of the 0-day worm is coming, or at least the
| close-enough-to-0-day worm, that organizations that do patch often
| will still get badly compromised.  This basically comes down to a
| question of windows of vulnerability.  Your window of vulnerability
|  to a given exploit comes down to the sum of three time windows:

Why the focus on worms again? Worms are what happen when good exploits
are wasted. No one who has an exploit wants a worm to come out. This
is why a real 0day worm is probably not coming out any time soon, imo.

| Patching isn't really 90%.  It seems like that because
| organizations still aren't keeping up with patches and thus don't
| know what would have happened if they had.  It seems like that
| because we're not getting caught in the first two parts of our
| windows of vulnerability that often just yet.  If a worm comes out
| in time window 1 or 2, your 1-hour patch turnaround won't save you.
It always boggles me that people will patch production systems for
remote SYSTEM vulnerabilities.

- -dave

Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]