Valdis.Kletnieks@vt.edu writes:
On Thu, 10 Jun 2004 08:50:18 PDT, Eric Rescorla said:
Valdis.Kletnieks@vt.edu writes:
Remember that the black hats almost certainly had 0-days for the holes, and before the patch comes out, the 0-day is 100% effective.
What makes you think that black hats already know about your average hole?
Because unlike a role playing game, in the real world the lawful-good white hats don't have any deity-granted magic ability to spot holes that remain hidden from the chaotic-neutral/evil dark hats.
Explain to me why, given that MS03-039, MS03-041, MS03-043, MS03-044, and MS03-045 all affected systems going all the way back to NT/4, and that exploits surfaced quite quickly for all of them, there is *any* reason to think that only white hats who have been sprinkled with magic pixie dust were able to find any of those holes in all the intervening years?
Actually, I think that the persistence of vulnerabilities is an argument against the theory that the black hats in general know about vulnerabilities before they're released. I.e. given that the white hats put a substantial amount of effort into finding vulnerabilities and yet many vulnerabilities persist in software for a long period of time without being found and disclosed that suggests that the probability of white hats finding any particular vulnerability is relatively small. If we assume that the black hats aren't vastly more capable than the white hats, then it seems reasonable to believe that the probability of the black hats having found any particular vulnerability is also relatively small. For more detail on this general line of argument, see my paper "Is finding security holes a good idea?" at WEIS '04. Paper: http://www.dtc.umn.edu/weis2004/rescorla.pdf Slides: http://www.dtc.umn.edu/weis2004/weis-rescorla.pdf WRT to the relatively rapid appearance of exploits, I don't think that's much of a signal one way or the other. As I understand it, once one knows about a vulnerability it's often (though not always) quite easy to write an exploit. And as you observe, the value of an exploit is highest before people have had time to patch. -Ekr