Weak of Oracle Bugs

[This was originally published on the OSVDB blog.]

No, not a typo. A couple weeks back, Argeniss “was proud to announce that we are starting on December the “Week of Oracle Database Bugs” (WoODB).” A couple days ago they abruptly called off the WoODB with the following message:

We are sad to announce that due to many problems the Week of Oracle Database Bugs gets suspended.

We would like to ask for apologizes to people who supported this and were really excited with the idea, also we would like to thank the people who contributed with Oracle vulnerabilities.

It’s hard to ignore the obvious possibility (especially with so many other people saying the same) that they solicited the community to support their effort by submitting unpublished Oracle vulnerabilities, then arbitrarily shut the effort down while keeping all the information and not sharing it as stated. Argeniss, why not give us the full story? Were you threatened by Oracle? Drastic change of ethical stance? Pure greed when you realized the value of a hundred contributions?

SANS Top 20 Report – Deja Vu

[This was originally published on the OSVDB blog.]

I previously blogged about the SANS Top 20 List in a pretty negative fashion. The list started off as the “Top 10 Vulnerabilities” and quickly expanded into the Top 20 Vulnerabilities. Even last year (2005), they were still calling it a “Top 20 Vulnerabilities” list when it clearly had become anything but that. This year, SANS finally wised up calling the list “SANS Top-20 Internet Security Attack Targets”. Yes, they are now listing the 20 most attacked ‘targets’, not ‘exploited vulnerabilities’. With this change, does the list regain some of the value it originally had and quickly lost? Let’s look at the list:

Operating Systems
W1. Internet Explorer
W2. Windows Libraries
W3. Microsoft Office
W4. Windows Services
W5. Windows Configuration Weaknesses
M1. Mac OS X
U1. UNIX Configuration Weaknesses
Cross-Platform Applications
C1 Web Applications
C2. Database Software
C3. P2P File Sharing Applications
C4 Instant Messaging
C5. Media Players
C6. DNS Servers
C7. Backup Software
C8. Security, Enterprise, and Directory Management Servers
Network Devices
N1. VoIP Servers and Phones
N2. Network and Other Devices Common Configuration Weaknesses
Security Policy and Personnel
H1. Excessive User Rights and Unauthorized Devices
H2. Users (Phishing/Spear Phishing)
Special Section
Z1. Zero Day Attacks and Prevention Strategies

So if you run Windows, Unix, or MacOS .. and/or have Web Applications, Database software, allow P2P file sharing, allow IM messaging, have media players (installed by default on most OSs), run DNS servers, run Backup Software, run Security/Enterprise/DM servers .. and/or use VoIP servers/phones or “network and other devices”.. and/or have weak policy governing user rights or don’t prohibit certain devices and you actually have users.. you have at least one of the “Top 20 Attack Targets”. Wow, is that ever so helpful. Oh, I forgot, failing all of that, “Zero Day Attacks” are a top 20 attack vector.

Hey SANS, could you make a more overly vague and general security list next time? Maybe for 2007 you could shorten it from the “Top 20” to the “Top 1” and just list “C1: Have a computer type device”. That would save your analysts a lot of time and be just as helpful to the masses. Seriously, ditch the list or go back to the basics.

Month of Kernel Bugs (MoKB)

[This was originally published on the OSVDB blog.]

First it was the Month of Browser Bugs (MoBB), now it is the Month of Kernel Bugs (MoKB). When I first read about it, I immediately thought of thirty odd entries about Linux Kernel Local DoS conditions. My pessimism is born out of the numerous local DoS attacks against the Linux Kernel. Microsoft fans use this to say that Linux has so many more bugs than Microsoft, but i’m sure if we documented every way to make any version of Windows blue screen, we’d be cutting ourselves.

Fortunately, the MoKB has started out very well by offering vulnerabilities in Mac OS X Kernel Wireless Drivers, Linux, FreeBSD, Solaris, and Windows. Only 11 days in, and all of that! The folks putting this together are doing an outstanding job putting this together, researching the vulnerabilities and presenting them.

In the months and years to come, what else will we see? What would you like to see the most.. Month of ______ Bugs.