[This was originally published on the OSVDB blog.]
Interesting article for several reasons. Below are some of the interesting quotes that stood out to me and may prove to be interesting topics.
http://news.bbc.co.uk/1/hi/technology/3485972.stm
Hackers exploit Windows patches
By Mark Ward
Last Updated: Thursday, 26 February, 2004, 10:54 GMT“We have never had vulnerabilities exploited before the patch was known,” [David Aucsmith, Microsoft Security Business and Technology Unit] said.
I don’t think Aucsmith nor any vendor can say this with any certainty. If a vulnerability is found by a security company and disclosed to the vendor, it leads to a patch down the road. When the patch comes out, many people will reverse engineer it to figure out the vulnerability as most of us know. On the same note, like the exploits, IDS signatures follow the exploits that follow the patches. So if an unpatched ‘0-day vulnerability’ is being exploited, how do we know? There will be a significantly lower chance of detecting such an attack to know this statement is true.
“It’s a myth that hackers find the holes,” said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
Very interesting! Symantec attempts to predict which vulnerabilities will be exploited next. I wonder how =) It would be easy to do a high level analysis (expect to see this from mi2g or Gartner): “We predict that the X vulnerability which is a remote system level compromise that does not require authentication will be widely exploited in short order.” We can all predict this and be right most of the time. I assume Symantec does something above and beyond that…
“Almost all attacks against our software are against the legacy systems,” [David Aucsmith] said. “If you want more secure software, upgrade.”
This makes you wonder if Microsoft doesn’t care more about security because these nasty vulnerabilities are the best argument for buying the latest version they offer. Beyond that, how many of the vulnerabilities last reported affect their latest products? This quote seems like pure marketing spin.