John Howie wrote: > I disagree. From a risk perspective you need to know mitigating factors. > To kill the hype that accompanies a newly discovered vulnerability you > need a cool, dispassionate, overview of the problem. Your sample > 'aggravating' factor was anything but, and would be more likely to add > to the hype. You're in favor of vendors publishing false statements as a means of mitigating the threat of hype? Microsoft, after reading their own security bulletins, mistakenly concludes that privilege elevation vulnerabilities like MS03-005 "cannot be exploited remotely." A privilege elevation threat is in some ways more critical than a buffer overflow. The reason is that there are attackers out there (especially insiders) who have been sitting in a position to execute arbitrary code under unprivileged user account security contexts for years, looking for a way to elevate privileges. MS03-005 may unleash those pending threats, because employers routinely "share between users" Windows boxes deployed within the organization. By design an Active Directory-based network is "shared between users". And you should be aware that Windows is not just for the desktop anymore. Windows is being used as the foundation of Web hosting providers' commercial services, and Web hosting under Windows is designed to be extensible and programmable; a privilege elevation exploit that can be mounted by your neighbor on a shared Web hosting box directly impacts your security. The entire threat in this case is remote, because it happens on somebody else's server box where you rent space. To claim that a privilege elevation attack cannot be exploited remotely is to fail to consider the real world usage scenarios in which attacks really occur. I'm sure you've seen as many examples of vendors believing their own propaganda as I have over the years. A vendor who habitually misstates and mischaracterizes the risk posed by their products does a lot of harm, and guarantees that incidents will occur in the future that create far more hype than would emphasizing the extreme possibilities for exploitation of each vulnerability in the first place. Besides, I thought our collective infosec goal was to prevent incidents, not work together to prevent hype. Jason Coombs jasonc@science.org
