<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I haven't written much lately, but I know you'll forgive me.
Lately I've written a lot on the<a
href="https://cybersecpolitics.blogspot.com/"> other blog</a>,
cheating on you, the DailyDave reader, because I felt expending my
verbal energy on rhetorical defense against the mind-scar that is
the Vulnerability Equities Process was something someone had to
do. So I did it. Like all cheaters, I don't feel good about it. <br>
</p>
<p>You can wake up one morning and everything has changed but the
bugs. The VEP is a valuable case study, in that sense. It may
linger in ghostly form, despite being dead, and in that way be a
warning sign against hubris, against policy that is more
aspiration than rubric. And thus, daily we may recite our Wards
against the unknown evils that the VEP is a vanguard for. <br>
</p>
<p>Today's recitement comes in the form of an exploit, as most do.
And the point I'd like to make about it is that categorizing
vulnerabilities is futile. Each one is an egg of unknown
potential, a campaign against homogeneity. The CVE-2016-7255 local
windows exploit - or as you may know it, the one FANCY BEAR is
spamming all over the place these days, requires a visible Window,
and has as a primitive an OR of 4 against a place of your
choosing. We have a reliable exploit in <a
href="https://immunityinc.com/products/canvas/early-updates.html">CANVAS
Early Updates</a> (so if you haven't patched, then it's too
late? A Philosophical Question for the Ages). <br>
</p>
<p>-dave</p>
<p>P.S. Don't forget to submit a talk to <a
href="https://opencfp.immunityinc.com/cfp/4/">INFILTRATE 2017</a>
or vote on the ones there! <br>
</p>
</body>
</html>