On Wed, 29 May 2002, Jon Bull wrote: > 1) Unless the consultants liscence is very carefully distributed, unethical > people will purchase Typhoon II can be furnished with near-zero-day > exploits. These are exploits that the public will be unable to guard > against until a patch is released. I believe that eventually Typhoon II > will be used by unethical people to this end, and that it is impossible to > guard against this eventuality as long as the consultants liscense exists. > (This point may be invalid if the consultant must go through NGSS who would > verify permission with the site to be tested. I doubt this is the case, but > it would speak well of NGSS if this is the manner in which the consultants > lisence is handled.) Not only that, but it has been proven time and time again that anyone can get pretty much any software package they want including cracks and/or licenses. What is to stop a malicious person, or even another security vendor from reverse engineering the "zero-day check" in order to discover the exploit. This can be addressed by not checking for the issue itself but checking for o/s and patch level but anyone with any experiance with vulnerability scanners knows that this is prone to generate false positives and create much user annoyance. > 2) Once an exploit is added to the list of checks on Typhoon II and an > administrator or consultant determines his system to be vulnerable, he must > still wait for a patch. > Not really, if it is a specific service or configuration a work around could probably be created or ports can be filtered. > 3) The recent JRun advisory, I feel, gives up too much information. I'm > sure as I type this someone is working to figure the length of the host > header field needed to achieve the overflow. I disagree - I think the Jrun advisory was fine and if anything could have been more complete. Sure people are working on finding the exploit but simply saying "there is an overflow possible in Jrun via host headers" is enough to get people to start to poke and prod, at least it is for me. > Suggestion - Instead of making a scanner to test for a vulnerability that a > Typhoon user may not be able to prevent, why not create IDS software to > detect the exploit? To me this seems a more defensive, responsible, and > effective role. Again, you expose the vulnerability in your signature. Assuming that not all employees are completely trustworthy this is a danger. My $.02 on this issue - I applaud David's efforts to force vendors to be more responsive. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbakat_private http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu May 30 2002 - 12:44:55 PDT