Friday, July 25, 2008

Its the end of the world as we know it...and I feel fine


I'm confused about what all the debate is over HD and I)ruid releasing exploit code.

Every time there is a new vulnerability WITHOUT code everyone wants to debate and bitch about the "real impact" because there is no exploit code. But as soon as exploit code comes out all the bloggers and security people get to do the "Patch Now!" post. SO, if the vulnerability is indeed as serious as people say it is...You should all be kissing HD's and I)ruid's asses for throwing out the ammunition to get the serious vulnerability patched in hurry.

Is the average fresh CEH graduate script kiddie going to pwn the internet with this aux module? Hell no. After they get a domain poisoned, they still have to launch some sort of client side attack, deliver some malware that won't get flagged by AV, secure the box, and manage all the bots. Is that realistic for the average "script kiddie"? I don't think so.

Maybe a real bad guy can make that happen, but to think that "real bad guys" didn't already have this exploit after all the talk about it is just plain asinine.

I'm personally glad i have at least another quarter of job security, this kind of fear mongering is always great for job security and buying new toys.

**edit
Richard Bejtlich wrote up a similar but better response to the issue: http://taosecurity.blogspot.com/2008/07/dns-and-cyber-tardis-problem.html

**edit #2
Good writeup on the verizon security blog about the issue and possible scenarios.
http://securityblog.verizonbusiness.com/2008/07/25/dns-exploits-what-could-actually-happen/
CG

4 comments:

sandro said...

but with tools like evilgrade and cain and abel, script kiddies can.

he just needs a minimal amount of brain cells thats all.

CG said...

now to be fair i posted that before evilgrade was released ;-)

CG said...

oops guess that post on gathering emails wont be helping that either...

Morgan Storey said...

Why isn't good old, non https windows updates not there?
I think the fact they published code is a good thing, sure every script kiddie out there is now trying to use it to there advantage, but it sounds like they tried reasonable disclosure and no one listened.
If no one listens, then you tell everyone, if still no one listens you release the exploit and wait.