On Fri, 18 Feb 2011 10:07:26 EST, Charles Morris said: > It is my personal belief that all vulnerabilities should be patched > regardless of existence of a known attack vector or exploit. Let me fix that for you: All vulnerabilities should be evaluated as to whether patching them makes sense. If it's a one-liner fix for a stupid logic error, yes it probably should be patched whether or not there's a known exploit. The problem starts when you hit something that's a deeply seated design issue in a published API - then you need to balance the costs of possible exploits against the equally real costs of fixing the problem (which may end up requiring a possibly large number of third parties to fix their usage of the API). The Windows "shatter attack" is a good example: https://secure.wikimedia.org/wikipedia/en/wiki/Shatter_attack Why was that such a pain to fix over multiple years? Because you couldn't fix it without breaking legitimate users of the interface. And here it is almost a decade later, and I'm not 100% convinced it's totally fixed yet. That one was pretty obviously an issue where a paper was out showing how to exploit it, in a very highly visible and widely distributed piece of software. But there's plenty of packages that have only thousands or even mere hundreds of users (especially off on the long-tail end of open-source). If one of those projects is discovered to have a major hole, but it's a package that's usually used on a laptop and you need to run code on the target machine, how important is it *really* to be patched? If the attacker is already running code on your laptop as another user, the additional privilege escalation to your userid may not matter that much anymore... So yes, evaluation is needed. But patching it may not make any realistic sense, depending on the nature of the issue and who is potentially affected.
Attachment:
pgpXFsnvNX0zw.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/