[Dailydave] they are all different.

dave aitel dave at immunityinc.com
Thu Nov 10 14:28:44 EST 2016


I haven't written much lately, but I know you'll forgive me. Lately I've
written a lot on theother blog <https://cybersecpolitics.blogspot.com/>,
cheating on you, the DailyDave reader, because I felt expending my
verbal energy on rhetorical defense against the mind-scar that is the
Vulnerability Equities Process was something someone had to do. So I did
it. Like all cheaters, I don't feel good about it.

You can wake up one morning and everything has changed but the bugs. The
VEP is a valuable case study, in that sense. It may linger in ghostly
form, despite being dead, and in that way be a warning sign against
hubris, against policy that is more aspiration than rubric. And thus,
daily we may recite our Wards against the unknown evils that the VEP is
a vanguard for.

Today's recitement comes in the form of an exploit, as most do. And the
point I'd like to make about it is that categorizing vulnerabilities is
futile. Each one is an egg of unknown potential, a campaign against
homogeneity. The CVE-2016-7255 local windows exploit - or as you may
know it, the one FANCY BEAR is spamming all over the place these days,
requires a visible Window, and has as a primitive an OR of 4 against a
place of your choosing. We have a reliable exploit in CANVAS Early
Updates <https://immunityinc.com/products/canvas/early-updates.html> (so
if you haven't patched, then it's too late? A Philosophical Question for
the Ages).

-dave

P.S. Don't forget to submit a talk to INFILTRATE 2017
<https://opencfp.immunityinc.com/cfp/4/> or vote on the ones there!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20161110/2a495185/attachment.html>


More information about the Dailydave mailing list