[funsec] vulnerability overstatement

Larry Seltzer larry at larryseltzer.com
Wed Jan 20 16:47:32 CST 2010

BTW, the severity ratings in Microsoft's advance advisory seemed weird
to me; almost everything was critical, even those platforms with real
mitigations, so I asked them.

The answer is that the Aurora bug isn't the only one being patched
tomorrow. Eight vulnerabilities will be patched.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer at ziffdavis.com 

-----Original Message-----
From: Charles Miller [mailto:cmiller at securityevaluators.com] 
Sent: Wednesday, January 20, 2010 5:39 PM
To: Larry Seltzer
Cc: funsec at linuxbox.org
Subject: Re: [funsec] vulnerability overstatement

Yes, that exploit works 1/3 of the time on XP and practically not at  
all once ASLR is thrown in.  But that doesn't mean exploits only work  
1/3 of the time with this vulnerability on XP.  Probably if someone  
cared to they could make it work 99% of the time, and MS doesn't  
refute this.  Likewise, an exploit doesn't try to defeat ALSR by  
guessing addresses, that's stupid, as MS points out.  However, that  
doesn't mean you can't code up an ASLR+DEP bypassing exploit for this  
vuln.  And if I wrote one, I certainly wouldn't be giving it to MS for  
testing!  :)  So researchers just want people to know that 'turning on  
DEP' doesn't solve the problem, just makes it harder (or makes the bad  
guy have to be smarter).

But, Tavis does rock.


On Jan 20, 2010, at 3:53 PM, Larry Seltzer wrote:

> It bugs me that (in general) security researchers and vendors never  
> give a full picture of mitigating factors and limitations when  
> discussing an attack. They want users to perceive the threat to be  
> as widespread as possible. Remember, those guys are just in it for  
> the money too.
> Let's compare two very recent examples: VUPEN's DEP-bypassing  
> exploit for the Aurora bug for one. What they said in public made it  
> sound like the exploit just plain runs on platforms where it had  
> been blocked by DEP, but I suspected a problem from the beginning:  
> DEP bypass schemes generally rely on techniques that are defeated by  
> ASLR, and IE runs with ASLR by default on Vista and Win7. Sure  
> enough, Microsoft's response to these claims (and I believe them) is  
> that ASLR greatly limits the utility of the DEP bypass:http:// 
> blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being- 
> bypassed.aspx. On Vista and Win7 the odds that it will execute are  
> too remote to bother with. Even on XP, it only works 1 in 3 chances.
> Contrast that with Tavis Ormandy's disclosure yesterday of the VDM  
> privilege elevation hack. He explained in full how it worked *and*  
> a) that it doesn't work on 64-bit kernels and b) gave instructions  
> on how to disable the 16-bit subsystems as a workaround. What a  
> gentleman. It sounds like he really just wants to help.
> Security firms never tell you that you need to run as administrator  
> to be vulnerable to something or that it won't execute reliably or  
> that you had to choose to run it manually. They just want you to be  
> afraid.
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer at ziffdavis.com
> http://blogs.pcmag.com/securitywatch/
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

More information about the funsec mailing list