Sharing my thoughts with the world.
Hey All,
Time for a personal post... The next two weeks I probably won't be blogging much (or necessarily even acknowledging the blog exists).... then again maybe I will. Either way, I'm getting married on May 17th (back home in Sault Ste. Marie). Shortly after the wedding we'll be going on a brief honeymoon to Chicago and then it's back here to Toronto.
Anyways... Just wanted to share.
I read this today on a local news site and the only thought that went through my head was "wow"... Essentially a malicious individual hacked the Epilepsy Foundation's website and posted hundreds of rapidly flashing images. While I don't condone it... I can understand why people think they should target websites for profit or pride... but this? It's just plain mean... It makes me wonder what the world is coming to.
Update: Apparently this is old news and I'm a little slow finding out about it.
There were a couple of random things that I wanted to comment on.
The first was a post by Dave Lewis of Liquidmatrix. The post in question is a discussion of a Wonderware advisory released by Core Security and the level of detail that they provided. Dave doesn't agree with the level of detail provided... as they had details on how to exploit the vulnerability and even showed the assembly from the vulnerable function. He also comments that this isn't responsible disclosure. I'm <sarcasm>really glad to see this debate is coming up again</sarcasm>... but really where's the lack of responsible disclosure? Core reported the vulnerability to the vendor (repeatedly) and went out of their way to ensure the vendor was aware, this is more than a lot of people / companies do. They then continually pushed their advisory release date to accommodate the company. These details are being released after the patch as well.
There's absolutely nothing wrong with this... it's really no different from the level of detail provided by other security vendors that release advisories. Once the patch is out there isn't much to stop malicious individuals from obtaining the assembly to the vulnerable function... a copy of IDA Pro and BinDiff is really all they need. Outside of the assembly... the level of detail provided is really the same as most other security vendors that release advisories. I've seen them include some sort of binary analysis in the past... and most of them contain a text write-up... here's an example with enough text to more than locate the vulnerability from TippingPoint / ZDI:
The specific flaw exists in the oninit.exe process that listens by default on TCP port 1526. During authentication, the process does not validate the length of the supplied user password. An attacker can provide a overly long password and overflow a stack based buffer resulting in arbitrary code execution.
Part of the problem with the InfoSec battle is that the bad guys have essentially unlimited time, where as IS employees have families and lives and work a set schedule. The Core advisory has set internal security teams on their way to developing their own exploits should they need to, without it they'd have had a lot more work to do and it would have taken them more time. Core did everything short of release the related Python and you can't really blame them, since then they'd be giving away their product for free. In the end, what they did was, in my opinion, beneficial to all.
It's one thing to simply release details, but as soon as someone works with the vendor you can't really cry foul when they publish the details. At least not on the 'responsible disclosure' front... because they've followed responsible disclosure and in this case Core Security hasn't done anything different then a number of vendors. Microsoft Tuesday is coming up and watch the mailing lists, each vendor that has reported a vuln usually sends out some sort of advisory and these range from brief overviews to full binary analysis and specific details on exploiting the vulnerability. We've seen it before and we'll see it again... but the patch is out, so they aren't helping the malicious individuals... just the good guys who have time constraints.
I found this blog post rather interesting today. It's an explanation of how SP3 and IE will work together. Essentially it comes down to the following:
If you have IE6: It's business as usual... you will be offered SP3 via Windows Update and you'll still be running IE6 after the update.
If you have IE7: You will be offered SP3 via Windows Update, however once you complete the install of SP3 you'll be unable to revert to IE6. Due to updates that are included for IE6 (which won't be installed since you have IE7), IE7 cannot be uninstalled.
If you have IE8 Beta: You will NOT be offered SP3 via Windows Update. As well, once you install SP3 you will NOT be able to uninstall IE8 Beta. Microsoft is recommending that you uninstall IE8 Beta, install SP3 and then reinstall IE8 Beta if you are using it.
Design by Beccary and Weblogs.us
·
XHTML
·
CSS
·