Advanced Exploitation of Internet Explorer Heap Overflow Vulnerabilities (MS12-004)

Discussion in 'other security issues & news' started by Hungry Man, Jan 18, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php

     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Curious that VUPEN is releasing info on an exploit instead of selling it to governments like the Chrome exploit, but then I realized: "It was patched last week by Microsoft as part of the MS12-004 security bulletin."

    Now it all makes sense! Good read though, bet Rmus will enjoy this one!
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    There may be a slight bit of FUD factor here since most should have MS12-004 installed via WU | WSUS.
     
  4. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    53
    Typically the 'responsible' exploit research firms will make the exploits available to those who can afford the $100,000 - $250,000 (some fees may be higher) licence fees and the exploit PoC remains available until it reaches EOL (End of Life) at which point they will report the vulnerability. It is probably a little more complicated than that... and external circumstances could have an influence on the availability.

    There is so much more to say... civilian organizations/corporations simply cannot afford to pay security research firms. And the research firms may actually lose profit by reporting the vulnerability.

    Its a simple economic issue:

    Option A. Sell the exploit PoC to governmentX, governmentY, agency1 and agency2 that all pay $250,000 licence fees.

    Option B. Inform the software manufacturer of the vulnerability and recieve $1337 dollars.

    Most software vendors do not pay anything at all which makes it an obvious choice.

    To make matters worse, there are different rules governing the reporting of vulnerabilities for 'open source' software. But that subject is beyond the scope of this simple comment.

    Best Wishes,
    -MessageBoxA
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    20,000 not 1337 =P but yes you're correct. Google can pay a lot more than that and they know that.
     
Loading...
Thread Status:
Not open for further replies.