Posted by jericho
Wed, 06 Jul 2005 10:49:29 GMT
Last month, Watchfire released a new paper describing “HTTP Request Smuggling” attacks. Since the release of this paper, many products have been found prone to such attacks. Some of these include SunONE Web Server, Oracle Application Server Web Server, IBM WebSphere, BEA WebLogic, Tomcat, Microsoft Internet Information Server, DeleGate Proxy, Sun Java System Web Proxy Server, Squid and Apache. This may qualify as the most recent class of vulnerability discovered and could prove interesting over the next few months as vendors scramble to diagnose their products.
Posted in General Vulnerability Info | no comments
Posted by jericho
Sun, 26 Jun 2005 09:30:39 GMT
http://www.suse.de/~thomas/papers/Severity-Metric.pdf
Security Vulnerability Severity Classification
by Thomas Biege (thomas[at]suse.de)
27th January 2005
Abstract
This paper will describe a method of classifying the severity of security bugs in software for Unix-like systems. On the following pages I will propose a metric with weights to describe the impact of vulnerabilities on a scala S with n elements to provide an objective rating system. This classification scheme should serve as reference for the SuSE Security Team for releasing security announcements. Hopefully this mechanism will be adopted by other vendors to have a vendor independent rating system. Such a vendor independent rating scheme will help customers, other vendors, and security companies/organisations to judge more precisely about the level of impact of a released security update.
Posted in General Vulnerability Info | 3 comments
Posted by jericho
Fri, 24 Jun 2005 20:51:39 GMT
Halvar posted to the DailyDave mail list today showing a brief flash based demonstration of some of his reverse engineering tools. The presentation shows how one can reverse engineer a Microsoft patch using binary diff analysis, and figure out exactly what the vulnerability is, down to the function.
What will this technology and method do, when hundreds (thousands?) of people can reverse engineer a patch that fast, and offer full vulnerability details within minutes of a patch? That type of information would be incredibly valuable to some people, probably for more nefarious purposes. That type of information would be incredible for the security community and vulnerability databases who often have a difficult time seperating issues due to lack of details.
Even more interesting, would this show a more concise history of vulnerabilities in a given vendor’s product that demonstrates the same programs, routines and even functions are found vulnerable repeatedly? Would this help companies identify who should be singled out for additional “secure coding” workshops?
post:
http://archives.neohapsis.com/archives/dailydave/2005-q2/0377.html
demo:
http://www.sabre-security.com/products/flashbindiffpng.html
Posted in General Vulnerability Info | 1 comment
Posted by jericho
Fri, 17 Jun 2005 12:01:57 GMT
Document Detailing “CVE Content Decisions” Now Available
June 15, 2006 — A new document entitled “CVE Abstraction Content Decisions: Rationale and Application” detailing CVE content decisions (CDs) has been posted on the CVE Web site. CVE CDs are the guidelines used to ensure that CVE names are created in a consistent fashion, independent of who is doing the creation.
[..]
http://cve.mitre.org/cve/cdrationaleapplication.html
Posted in General Vulnerability Info | no comments
Posted by jericho
Wed, 08 Jun 2005 06:26:26 GMT
http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0060.html
While symlink vulnerabilities are not new, Steven Christey from CVE points out a recent trend in “second-order symlink” vulnerabilities. Based on the recent examples published, there is a strong chance many applications have been vulnerable to such attacks in the past.
Posted in General Vulnerability Info | no comments
Posted by jericho
Wed, 11 May 2005 04:16:43 GMT
Recently at the CanSec West conference, Window Snyder from Microsoft gave a talk about Windows XP SP2 security internals. Looking past a bulk of the talk, one portion of it stuck out in the minds of many vulnerability researchers. Unfortunately, the press has only given it a small blurb in the various articles so far.
From http://www.theregister.co.uk/2005/05/09/microsofton_sp2security_process/:
Moreover, the company found and fixed two classes of vulnerabilities that have not been discovered elsewhere, she said.
“These are entire classes of vulnerabilities that I haven’t seen externally,” Snyder said. “When they found these, (the developers) went on a mission, found them in all parts of the system, and got rid of them.”
Snyder remained mum on the details, however, even giving the families of vulnerabilities fake code names: “Ginger” and “Photon.”
Two entire classes of vulnerabilities discovered and fixed, that have never been seen externally? This seems a bit difficult to believe to me. I recall over the last few years during various conversations and email discussions where I challenged someone to name the last class of vulnerabilities that surfaced. Not counting these, I believe it has been years?
Anyone have fun speculation regarding what Ginger and Photon might be? Could they be found nowhere else because they are native to Microsoft/Windows? Could it be a big PR gig to further promote trustworthy computing?
Posted in General Vulnerability Info | no comments
Posted by jericho
Fri, 22 Apr 2005 06:07:44 GMT
Interesting article for several reasons. Below are some of the interesting quotes that stood out to me and may prove to be interesting topics.
http://news.bbc.co.uk/1/hi/technology/3485972.stm
Hackers exploit Windows patches
By Mark Ward
Last Updated: Thursday, 26 February, 2004, 10:54 GMT
“We have never had vulnerabilities exploited before the patch was known,” [David Aucsmith, Microsoft Security Business and Technology Unit] said.
I don’t think Aucsmith nor any vendor can say this with any certainty. If a vulnerability is found by a security company and disclosed to the vendor, it leads to a patch down the road. When the patch comes out, many people will reverse engineer it to figure out the vulnerability as most of us know. On the same note, like the exploits, IDS signatures follow the exploits that follow the patches. So if an unpatched ‘0-day vulnerability’ is being exploited, how do we know? There will be a significantly lower chance of detecting such an attack to know this statement is true.
“It’s a myth that hackers find the holes,” said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
Very interesting! Symantec attempts to predict which vulnerabilities will be exploited next. I wonder how =) It would be easy to do a high level analysis (expect to see this from mi2g or Gartner): “We predict that the X vulnerability which is a remote system level compromise that does not require authentication will be widely exploited in short order.” We can all predict this and be right most of the time. I assume Symantec does something above and beyond that…
“Almost all attacks against our software are against the legacy systems,” [David Aucsmith] said. “If you want more secure software, upgrade.”
This makes you wonder if Microsoft doesn’t care more about security because these nasty vulnerabilities are the best argument for buying the latest version they offer. Beyond that, how many of the vulnerabilities last reported affect their latest products? This quote seems like pure marketing spin.
Posted in General Vulnerability Info | 3 comments
Posted by jericho
Sat, 02 Apr 2005 20:18:46 GMT
Why Due Diligence as a Defense is Not Enough
Interesting article, but one portion stood out to me:
From the point a vulnerability is discovered and a remedy is made available, the clock starts ticking. The longer you wait to address the threat, the closer you encroach upon negligence. This is just one demonstration for providing due care.
[..]
Given the long history of debate on what constitutes responsible disclosure (3 days? 2 weeks? 3 months?), attempting to define negligence in the sense of “windows of risk” may be debated for years to come. Schoenberg poses his question and directs it to the corporate world and deployment of technology. What happens when we turn this time table toward the vendors and patching? Suddenly, we have dozens of cases of some vendors (Sun, HP) being guilty of “gross negligence”.
Posted in General Vulnerability Info | 1 comment
