On Sat, Sep 27, 2014 at 11:57 PM, Keith Medcalf <kmedcalf@dessus.com> wrote:> This is another case where a change was made.
If the change had not been made (implement the new kernel) then the vulnerability would not have been introduced. [...] The more examples people think they find, the more it proves my proposition. Vulnerabilities can only be introduced or removed through change. If there is no change, then the vulnerability profile is fixed.
I see what you did there... you expanded the boundaries of the "system" to include not just the application code but more and more of the environment, CPU, Kernel, .... The problem is, before it is an entirely correct statement to assert that a zero entropy system never develops new vulnerabilities, you have to expand the boundaries of the "system" to include the entire planet. Suppose you have a vulnerability that can only be exposed if port 1234 is open. That's no problem, you blocked port 1234 on the external firewall, therefore the application cannot be considered to be vulnerable during testing. A few years later you replace the firewall with a NAT router that doesn't block port 1234. Oops! Now you have to consider the entire network and the Firewall to be part of the application / internal part of the system. And it doesn't end there. Eventually for the statement to remain true, the boundaries of the system which 'cannot develop a vulnerability unless it changes' have to expand in order to include the attackers' brains. "If the attacker discovers a new trick or kind of attack they did not know before" then a change to the system has occured. -- -JH