| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Report: Zero-Day exploits are nearing | |
|
||
| Time: 09:50 EST/14:50 GMT | News Source: E-Mail | Posted By: Brian Kvalheim | ||
|
The time is coming when zero-day threats will become a reality, according to Symantec Corp.'s recently released Internet Security Threat Report. The report found the total number of vulnerabilities remained constant between 2003 and 2002, but the actual flaws are more severe. "In addition, the period of time between the announcement of a vulnerability and the release of an associated exploit is shrinking," according to a press release on the report. In total, 2003 saw 2,636 vulnerabilities released, compared to 2,587 found in 2002. However, there was a monthly average of 115 "moderately severe" flaws last year compared to just 98 a month in 2002. Moreover, the number of vulnerabilities that have exploit code increased 5% in 2003. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 316 Last | Next |
The time now is
8:37:33 AM
ET.
Any comment problems? E-mail us |
| #1 By 2332 (216.41.45.78) at 3/16/2004 10:52:37 AM |
|
Not sure how an increase in the number of vulnerabilities leads to the conclusion that we now have the new potential for a zero day exploit.
A zero day exploit is an exploit that hits the net *the same day* as the vulnerability is discovered. While this certainly happens when the source of the exploit is the same person who discovered the flaw, but that vast majority of the time these are two very different parties. So what it comes down to is how responsible the people who discover the flaws are. If those people report the flaw the the company who wrote the software, then keep it to themselves for a reasonable amount of time, the risk of zero day flaws is very small. So the real problem here is ego. If the people who find the flaws can keep their ego in check, it will greatly mitigate this risk. Of course, we can't rely on this. |
| #2 By 2332 (216.41.45.78) at 3/16/2004 12:38:31 PM |
|
mOOzilla - your actions are irresponsible. Simple as that.
Obviously the companies care. Perhaps you got an idiot as a contact at the company. So you hurt both the company and its users by releasing an exploit to punish that company for hiring stupid customer reps? Give me a break. |
| #3 By 20 (24.173.210.58) at 3/16/2004 12:46:26 PM |
|
Sorry mOOzilla, I accidentally clicked DELETE on one of your posts, I'm really sorry.
Here was the original post: mOOzilla wrote: Yes because sending zero or 1 byte to AV an and this is theyre quote "Enterprise level gateway" will kill hundreds of innocent bystanders and the only way to identify them is by DNA or dental records. The horror. Maybe I should pack in more 1's and 0's for schrapnel damage. |
| #4 By 12071 (203.185.215.149) at 3/16/2004 5:40:01 PM |
|
mOOzilla is right, big companies just don't care - why would they waste time and resouces fixing something that may or may not be being exploited? - they would rather be developing new products/features etc.
That doesn't mean that you should be posting an exploit with your advisery, but by all means, include all the information about it, let's keep everything out in the open and put a bit of pressure on companies to fix their bugs. And this goes for everyone, not just Microsoft. RMD, you say you like eEye, well if you take a look at their 'upcoming' page you will find 6 bugs which are from 56 to 128 days overdue (this is on top of their 60-days to fix the bug from discovery timeframe). I would imagine that Microsoft wouldn't be sitting on these bugs for 188 days if their full details had been provided. So now you just have to fit back and hope that someone else, during the last 188 days (or before then even!), hasn't found this bug on their own and taken advantage of it. I'm glad you have such a high level of hope! |
| #5 By 12071 (203.185.215.149) at 3/16/2004 11:26:34 PM |
|
#12 "exploit was discovered"
Exploits aren't discovered, they are created, therefore the exploit was created after the vulnerability was found, hardly "negative day". "compromised by exploits discovered by hackers who have not publicized the hole." Which is why people such as mOOzilla and myself want total exposure and information for every hole found, regardless of whether it's for Linux, BSD, OS X, Windows or your Cisco router! Don't care what it is, as soon as a hole is found, inform everyone about it! That way we can all manage the risk even if that means turning off a particular service until a patch is released. Keeping things closed up doesn't help anyone! The mremap bug you mentioned was detailed on SecurityFocus when it was found: http://www.securityfocus.com/archive/1/354284 So you were able to see the full details of it and as a result of disclosing all the information a patch was released within a day. |
| #6 By 2332 (65.221.182.2) at 3/16/2004 11:44:05 PM |
|
#7 -Since you are so busy crying like the little girl you are, you will not be able to keep up.
Huh? I'm not even sure I know what that means? Care to be coherent? Thats the difference between me and you Oh, there are a lot of differences... and I'm glad there are. im doing something wheras you are just so busy mouthing off and crying Yes, you're doing something... and it's the wrong something. I'm not "mouthing off". When I discover a security hole, I report it to the company. I give the company a reasonable amount of time to fix that bug (which is proportional to my best guess about the severity and scope of the hole), and if they are still unresponsive, and I'm reasonably sure that they are unresponsive for bad reasons (like they don't care), I release information about that hole publicly. Simple as that. My response has the greatest potential to protect the greatest number of people. Your solution has a far greater potential to hurt people. Is it possible that an exploit for the hole I found already exists and it's being used right now? Sure. But the fact of the matter is that greater the hole the more likely it will be found. If all of a sudden machines that are fully patched are compromised people will start watching and will figure it out. This information will spread, and soon that secret exploit will be exposed. In your scenario, script kiddies all over the place will launch many, many attacks that could hurt many, many people. In my scenario, there may be some isolated attacks over that hurt a few people. Even if the company takes months to fix the bug, there would still be fewer overall attacks in my scenario than in yours. How is yours better? big companies just don't care - why would they waste time and resouces fixing something that may or may not be being exploited? Because they know that hole will eventually be well known. Even if that particular person who found the hole doesn't tell anybody, it's just a matter of time before somebody with lower moral standards figures it out. RMD, you say you like eEye, well if you take a look at their 'upcoming' page you will find 6 bugs which are from 56 to 128 days overdue (this is on top of their 60-days to fix the bug from discovery timeframe) Ya, and why would this change my mind? I think it's important to make sure companies know the hole will eventually be well known. I think the timeframe should be variable depending on the hole in question, but the same principle applies. The fact of the matter is, neither you nor I have any idea how long it takes to regression test the THOUSANDS of products that could be affected by a seemingly simple change in the Windows source code. It takes incredible ignorance and arrogance to say "it's an easy fix! they should have it done in a couple of days". The more pervasive a piece of software, the easier it is for simple things to quickly turn incredibly hard. I would say it's a safe guess that nobody on this board has worked on a software project approaching even close to the complexity of Windows. The biggest project I've ever personally worked on was maybe 150,000 lines of code. It took an incredible effort to regression test changes to basic functionality to ensure it didn't break anything else. I can only imagine the process at Microsoft. I would imagine that Microsoft wouldn't be sitting on these bugs for 188 days if their full details had been provided I'm the first to point out when a bug has gone unfixed for a long period of time. How many times have I posted the PivX link that lists all the known IE exploits that have gone unpatched for months? I, too, think it's important to put pressure on companies... but there has to be a happy medium between the moronic "release immediately" policy, and the naive "keep it secret forever" policy. |
| #7 By 12071 (203.217.20.231) at 3/17/2004 5:30:47 AM |
|
#15 "I prefer a professional approach to patching security holes"
If you define "professional" as taking 200+ days to fix a hole, rolling multiple patches into one and not telling anyone about the complete contents of those patches... then you're right... I don't prefer YOUR definition of "professional"! I prefer full disclosure of all bugs found and a patch released asap. If that means lots of patches in the end, so be it, the quanity of patches doesn't say anything, it's like comparing the speed of CPU's all with different architectures! You prefer to hope that Microsoft releases a patch before anyone exploits it, and if you think that Microsoft don't re-release the same patch, have a look at the patches in the last few months smart-ass! Professional code reviews... ha! |
| #8 By 2332 (65.221.182.2) at 3/17/2004 8:11:59 AM |
|
#16 - That's all you have to say? After all that mornic babble that preceeded this?
I spent a good 15 minutes formulating a reply to your idiotic point of view - a view that clearly hasn't been thought out for more than 5 minutes - and all you can reply with is "deal with it"? #17 - prefer full disclosure of all bugs found and a patch released asap I've already stated why this causes more damage than keeping the exploit secret while the company writes a patch. What other reasoning do you have? Even in the case of open source software where users can fix holes themselves, most won't. Most users don't have the ability to fix the hole. So by releasing the information about the hole before a fix is available you've put more people at risk in pretty much every circumstance. This post was edited by RMD on Wednesday, March 17, 2004 at 08:12. |
| #9 By 2332 (216.41.45.78) at 3/17/2004 1:33:04 PM |
|
#20 - A bugfix can be tested for regressions in a day easily. I dont care about the length of time to get a fix I still release all information, tough titty.
Congratulations. You've just proved, without a doubt, that you are completely clueless. Well, that was fun. Next. This post was edited by RMD on Wednesday, March 17, 2004 at 13:33. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 316 Last | Next |
The time now is
8:37:34 AM
ET.
Any comment problems? E-mail us |
