On Thu, 10 Jun 2004 13:50:47 PDT, Eric Rescorla said:
I'm asking the question: If you find some bug in the normal course of your operations (i.e. nobody told you where to look) how likely is it that someone else has already found it?
And you're asking a question more like: Given that you hear about a bug before its release, how likely is it that some black hat alredy knows?
I think that the answer to the first question is probably "fairly low". I agree that the answer to the second question is probably "reasonably high".
Third case: Exploit in one package identified because of info from a similar exploit against some *other* package.... Back in March 2000, I spotted a rather nasty security bug in Sendmail (fixed in 8.10.1) when running under AIX or SunOS. Since the problem is a documented *feature* of the system linker, a *lot* of software had the problem - and the Sendmail release notes give enough info to make it "game over". At that point, the 3 big things left were (a) writing a general-case exploit (trivial if you use one of the another one of the basic design goals of the AIX linker against itself), (b) creating a shell one-liner to identify vulnerable programs, and (c) running the script from (b). Of the three, (c) was actually the most time-consuming. 3 years later, another package (OpenSSH) hit the same hole: http://www.securityfocus.com/archive/1/320149/2003-04-30/2003-05-06/0 And it was a known issue months before I tripped over it: http://mail.gnome.org/archives/gtk-devel-list/1999-November/msg00047.html I'd be most surprised if black hats did *not* have an exploit for the OpenSSH variant, having been pointed at the issue due to my finding a similar issue in Sendmail..... And there's *plenty* of evidence that when a novel attack is found, you see lots of people posting "So I was bored and decided to see what *else* had the same sort of bug..." (think "buffer overflow" ;)