- In the end, this whole argument stems from one of the most egregious thought errors in the industry: The absence of PoC code, or worse, the lack of a public exploit, is justification for a delay in patching. Both Patrick and I have been confronted by managers saying "Prove to me this is exploitable" prior to allowing a patch to be applied. The sad truth is, there are more security slots in the world than there are people with the talent and background to PoC every patch Microsoft puts out. This thinking, often complicated by business drivers, also extends into software development. Last month's 0-day in Microsoft's MPEG2TuneRequest was CVE-2008-0015…how long were they aware of this bug before it was found by the bad guys? Why were customers placed at risk when the response in the end was simply to killbit the CLSID?
- The fact is, there is always someone out there with more time, knowledge, background, contacts or just raw intelligence working on these issues. The problem is that they are working for the bad guys. While you are setting up the VPN to the new remote office, they are working on 0day. While you are checking firewall logs, they are working on 0-day. While you are writing policy documents on the use of USB memory devices, they are working on 0-day. Very few companies have the time, resources and talent to individually evaluate patches. Yet there are many who attempt to do just that.
- In truth, the reaction to the release of the Oracle attack packages for Metasploit should have been a collective yawn. Here is why: for every new Oracle attack in Metasploit there is a patch from Oracle. If you're honestly concerned about this package, and aren't just being a self-serving media whore, then you've already made some very critical errors in your implementation and management of some high value targets. What you should do after reading this blog is go and patch your Oracle system, and every other system that you've declined to patch because it is "behind a firewall" or "there isn't a known attack for it". Because in all honesty, if there wasn't an attack available before the patch, you probably have less than 72 hours before someone out there has one put together. If you're lucky, it will be Carnal0wnage, and it will be in Metasploit for all to see. But most likely, it will be in China, Poland or maybe inside your company. Fact is, you just don't know.
Listen to the cat: The people who are stupid enough to require someone else to write their exploits for them are not the people you need to worry about. If you can't defend against them, you deserve to fail.