[SC-L] BSIMM update (informIT)
Steven M. Christey
coley at linus.mitre.org
Thu Feb 4 14:23:20 EST 2010
On Thu, 4 Feb 2010, Jim Manico wrote:
> These companies are examples of recent "epic security failure". Probably
> the most financially damaging infosec attack, ever. Microsoft let a
> plain-vanilla 0-day slip through ie6 for years
Actually, it was a not-so-vanilla use-after-free, which once upon a time
was only thought of as a reliability problem, but lately, exploit and
detection techniques have recently begun bearing fruit for the small
number of people who actually know how to get code execution out of these
bugs. In general, Microsoft (and others) have gotten their software to
the point where attackers and researchers have to spend a lot of time and
$$$ to find obscure vuln types, then spend some more time and $$$ to work
around the various protection mechanisms that exist in order to get code
execution instead of a crash.
I can't remember the last time I saw a Microsoft product have a
mind-numbingly-obvious problem in it. It would be nice if statistics were
available that measured how many person-hours and CPU-hours were used to
find new vulnerabilities - then you could determine the ratio of
level-of-effort to number-of-vulns-found. That data's not available,
though - we only have anecdotal evidence by people such as Dave Aitel and
David Litchfield saying "it's getting more difficult and time-consuming."
- Steve
More information about the SC-L
mailing list