Re: Scanners and unpublished vulnerabilities - Full Disclosure

From: Ryan Russell (ryan@securityfocus.com)
Date: Tue May 28 2002 - 16:00:16 EDT


On Tue, 28 May 2002, Alfred Huger wrote:
> jumping to a visceral conclusion one way or another. The way this impacts
> the Pen-testing community is that these vulnerabilities which are in the
> process (presumably) of being fixed are actively being coded into the
> Typhon II Vulnerability Assessment Scanner from NGSSoftware.

I would suspect this wouldn't have much of an impact on the pen-testing
community, but I'll leave it to the professional pen-testers to answer how
often the very latest vulnerabilities come into play in their work. My
experience coems more from seeing how often really, really old
vulnerabilities are used in the wild, and work. This would tend to have
to also partially reflect the companies that hire pen-testers, though if
they've taken the step to hire someone, that company is at least
demonstrating a little more clue.

What it boils down to is the rest of us will have the information, just a
little later. I suppose part of the controversy is that NGSSoftware is
presumably going to benefit from holding back information, i.e. if you
want to check for the vulns they found, you have to buy their product.
This isn't new, either. A few years ago at a previous employer, I was a
licensed user of ISS' Internet Scanner. They had a check for a statd bug
(which came to my attention because it was getting positive matches) that
I could find no public documentation on. I.e. I was doing an internal
penetration test, and having a potential hole, I wanted to go ahead and
exploit it fully.

Of course the punchline is that I simply pulled out a sniffer, and read
the vulnerability details off the wire (it's was a simple .. bug.) So,
NGSSoftware customers have full access to the details, no surprise. It
should be noted that it's not possible to copyright how a vulnerability
works in any way. So, if a NGSSoftware customer wants to leak that info to
the public, they are free to do so, unless perhaps the EULA says they
can't, in which case, they would just have to do so anonymously. Second,
people really can reverse-engineer the problem by diffing patches, source
or object. So, anyone who wants the hole can still have it, they just
have to spend more time and/or money. Take a look at the recent set of IE
holes Microsoft fixed. Several of them were discovered by MS themselves,
and I know for a fact that some people outside of MS now know how the
holes work.

So, I don't see how their policy really changes anything. We'll all still
have access to the holes, good guys and bad. Once there is a hint that
there's a problem somewhere, it will be ferreted out.

                                        Ryan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT