CVE Commentary

[This was originally published on the OSVDB blog.]

CVE editor Steven Christey has begun to post commentary related to CVE and VDBs.

[2013-07-07 Update: This effort didn’t last long. The last update was 2006-02-16, 4 days after this blog post. =(]

Insert a classy pun.

[This was originally published on the OSVDB blog.]

This entry should have been published days ago. On top of being overly busy and spread thin, I ran into a big problem related to finding a reference I wanted to include, which will lead to this being a little more ranty than intended.

How is it that our industry is over twenty years old (don’t bother debating how old the ‘security’ industry really is), and we don’t have a list of commonly accepted vulnerability classifications? Traditionally, it was fairly easy to list out the major classifications; overflow, symlink, race condition, command injection, XSS, SQL injection, path disclosure, traversal, denial of service, format string, etc. Over time we saw new types of vulnerabilities like HTTP Response Splitting, CRLF injection, Off-by-one, Underflows, etc. So, who keeps a list of what constitutes a class of vulnerability? The Secure Software Body of Knowledge has nothing, SANS’ glossary doesn’t even appear to have cross site scripting, and the OWASP Top Ten is a bit too high level. The best resources are probably:

  1. The OWASP Vulnerability Listing but I think this is too detailed to cover a general classification breakdown.
  2. Mitre’s Common Weakness Enumeration (CWE) might be the best due to their hierarchy system and more general categories.
  3. CVE’s Vulnerability Abstraction has a decent breakdown more like my quick list above, but might be considered a bit lacking, or soon will be.
  4. The Web Application Security Consortium Web Security Glossary but it is web-centric.

That said, now I can get back to my original point! On September 29, Stefan Esser posted an advisory in which he said “While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look…“. This lead me to remember an article last year titled Microsoft unveils details of software security process in which Window Snyder (former Microsoft security strategist) said “These are entire classes of vulnerabilities that I haven’t seen externally. When they found these, (the developers) went on a mission, found them in all parts of the system, and got rid of them.” referring to vulnerabilities that were proactively removed. The article goes on to say “Moreover, the company found and fixed two classes of vulnerabilities that have not been discovered elsewhere, she said.

Anyone else curious about these? Less than a year, and three new classes of vulnerabilities? Come on Window, you left Microsoft, you can speak up now! Steffan, spill the beans, give us details!

Thanks for discussion and pointers: Steven Christey, Chris Wysopal, Sullo

Google VulnSearch?

[This was originally published on the OSVDB blog.]

Fall behind and someone will always beat you to the punch! Gadi Evron posted an entry over at Securiteam on the topic of using Google’s Codesearch to find vulns. Since he and others are writing about this, I don’t have to! However, i’ll post a few more thoughts before anyone else maybe!

First, we have this great ability to (ab)use Google’s Codesearch to find vulnerabilities through fast code analysis. Is this a fun but very short fad? Or will we see people use this to disclose vulnerabilities and give credit to their method? Will it lead to a lot of false positives> like we’re seeing with remote file inclusion? Several ‘researchers’ are grep’ing for a single stringle, finding it, and posting it as a remote file inclusion vulnerability without really analyzing the code or testing their own “proof of concept”. Hopefully, researchers will use this new tool to not only find vulnerabilities, but truly validate their finding before disclosing.

Second, who is going to be the first to create an interface that smoothly links the Google Codesearch with a robust static code analyzer? Imagine a web interface where you choose a few key things like what language, what types of vulnerabilities, and click click for all the results. The program would then use the Codesearch results to pipe into the code analyzer and spit out a list of high probability vulnerabilities.

Some of these ideas courtesy of email discussions with Chris Wysopal, Mudge and others.

General TV Complaint

I’ve thought about this post in my mind for the last two years, since I’ve started watching more tv shows. thank $deity for torrents and a 19″ monitor, because i certainly can’t watch the shows on the network’s time tables. yes, i pay 55 bucks a month for extended cable and *never* turn my TV on. fuck their schedules, fuck them for airing complete crap instead of the prime shows more than once. they are begging for their customers to turn to TiVo (and fast forward past commercials) or torrents. for a more dry rundown of tv shows (last season), check out my thoughts.

My thoughts on television today…

There are a lot of great shows on TV these days. Bigger budgets, movie stars making the shift back to weekly TV, more viewers and higher advertising. shows like 24 and the various law & orders and CSI are getting the attention, and rightfully so. Admittedly, I watch 24 only when I have all twenty four episodes downloaded from the previous season and I watch it much like I watch a car wreck or police action on 18th street from my balcony. More recently, shows like Lost and a few others I don’t watch (Grey’s Anatomy) are becoming all the rage, even though most people didn’t enjoy JJ Abram’s first show (Alias) beyond the first season. Unfortunately, the main stream press simply must follow the popular shows and give no thought or attention to the lesser known but equally as enjoyable shows (exception: entertainment week continually gives props to Battlestar Galactica!). If you haven’t seen BSG on SciFi, you are missing out. Ditch your pedantic views on television and cast aside this notion that ‘sci fi’ is for nerds and geeks. The show is phenomenally written, beautifully directed and masterfully designed from season to season. The show is not about “killing toasters” as much as it is about exploring human interaction, social drama and current political nightmares. The writers and directors are smart though, and they know they can get away with taking all of the political issues of today, wrapping them in a blanket of “that stupid sci fi” and getting away with exploring it in ways conventional TV could not.

Reality TV is dead, the networks just don’t know it yet. Survivor this year perfectly demonstrates that since it is moving to a ‘racial’ theme after *twelve* years of running. Read the back story people.. they had to *recruit* some of the minorities you see, because only white people are crazy enough to volunteer to go on the show. They couldn’t even get a full team (5 members per team) of hispanics, african-americans and asians. Three episodes in and the show is getting boring, the stereotypes are dull and even watching one race insult themselves is old. The only compassion i found for anything on that island was the poor chickens.

Crime pays. Anyone who tells you otherwise wasn’t a good criminal or isn’t in the entertainment business. The law enforcement themed shows are at an all time high. COPS is in it’s *19th season* believe it or not! Law & Order has several shows, CSI has three, the Closer gets good reviews (for some reason), Criminal Minds is entertaining.. the amount of ‘bad guy’ shows is spiking again including Heist, Thief and several more this season. I won’t bother listing the other dozen shows that fall under this category out of fear of boring you to death. The sad part is, the best ‘bad guy’ series is on BBC and just now hitting the US; Hustle. If you haven’t seen it, make a point to do so. Only six episodes per season, but absolutely brilliant. In this category also worth seeing is The Shield and The Wire (HBO). Fortunately, several mainstream lackeys have finally caught on to the power and intensity of The Wire and it is beginning to get the attention it deserves. Killer Instict (lame), The Inside (had potential), Wanted (yawn), Eyes (gimick), Without a Trace (pretty good), Cold Case (pretty good) .. the list goes on.

I know I mentioned the CSI franchise last paragraph, but it really deserves its own. First, did you know that the UK had its own forensic show years before CSI? It’s called ‘Silent Witness’ and according to many UK fans has “sold out” in trying to be more like CSI and losing its core values. Perhaps this is one time where the US stole an idea and did it right though.. CSI (the original) continues to be outstanding. I wish the series luck in their break from formula (to a degree) in the 7th season, but i wonder if they will lose audience since they are now demanding you watch episode to episode to see a case finish. One value of the show in prior years is that 43 minutes of attention (you dont actually watch commercials do you?!) and you saw one or two cases solved. CSI:NY listened to criticism and made some important changes in season 2 (less in S3 this fall), and the show continues to be entertaining. The cases are a bit ‘Miami’, but the characters (Sinise!) carry the show. Now, the number one train wreck of a TV show five years running? CSI:Miami. Whoever writes and produces this show needs to jump the shark, bite the bullet, and get the fuck off the air. The show is beyond ‘bad’, boldly sucking like no show has before. David Caruso can not act. He is a cliche of himself, and needs to die off fast. (dare you to play the Caruso/CSI drinking game; drink when a) he puts his sunglasses on/off, b) uses the person’s first name in casual dialog, c) puts his hands on his hips or d) looks down while talking to someone. You’ll be trashed before opening credits). The rest of the characters are boring, shallow, can’t act and have no other redeeming quality. The only character that DID have a little appeal, got killed off (the guy who was a CSI but did it as a job, not for some profound love of the profession). The pop tart fake southern bimbo needs to die in a fire to save us from more agony. I don’t care if it is Miami, having every single case be loaded with rich bitches and blinged out retards is overdone. We don’t need to see million dollar houses/boats/cars in every single case. Speaking of the crime shows, why are medical examiners always African American? The Closer, L&O SVU, L&O, CSI:NY, CSI:Miami.. seems odd.

On the technical crime series.. a while back, Kiera mentioned how annoying it was dealing with TV shows that felt they were forced to dumb down for the average retarded viewer. While I understand the networks for doing this, I also challenge them to break from the norm and move on. If you aren’t smart enough to pick up on the pink cotton swab in *season 7* of CSI, then the show probably isn’t for you. The rest of the world is tired of hearing the same explanations for every minor thing week after week. Some of us want to know how TV would evolve if they didn’t have to carry the baggage of new viewers. Oh, CSI:Miami, the fact that every single scene in the lab begins with “Oh, is that the X from case Y?” to set the stage is BORING. Fuck yourself with a baseball bat you ignorant jackass retards. You are writing down to the retard population that you are part of.

Other shows that stand out; Boston Legal, pretty twisted humor written in to this show, Shatner and Spade carry it without a hint of burden. Weeds (Showtime) is a brilliant comedy that would fail miserably on public channels, but floats by on premium because it embraces that edge. Rescue Me, no pondering how real it is, the character interaction alone is worth the watch. Invasion (carried by Fichtner), Penn and Teller’s Bullshit (Showtime, should be mandatory viewing for US citizens), Prison Break (Miller, Purcell and Fichtner are oustanding), Saved, Spooks (forget US mainstream spy crap, watch the UK version), Bones (Deschanel’s social interaction rules), and The Unit (Haysbert drops his pen from 24 and picks up a machine gun), all worth checking out. Hell, Jason Lee even proves that comedy isn’t dead in My Name is Earl, despite the networks running comedy into the ground.

Yes, the three people who read this thinking “omg he’s such a tv whore!” can say that. If i didn’t watch the shows a) on my schedule, b) commercial free and c) on the third computer while I work on the first two, then I wouldn’t have seen ANY of these shows, except Meerkat Manor. That is the one show I will stop everything for, sit on the couch, and actually “watch TV” for.