I haven't written much lately, but I know you'll forgive me. Lately I've written a lot on theother blog <https://cybersecpolitics.blogspot.com/>, cheating on you, the DailyDave reader, because I felt expending my verbal energy on rhetorical defense against the mind-scar that is the Vulnerability Equities Process was something someone had to do. So I did it. Like all cheaters, I don't feel good about it.
You can wake up one morning and everything has changed but the bugs. The VEP is a valuable case study, in that sense. It may linger in ghostly form, despite being dead, and in that way be a warning sign against hubris, against policy that is more aspiration than rubric. And thus, daily we may recite our Wards against the unknown evils that the VEP is a vanguard for. Today's recitement comes in the form of an exploit, as most do. And the point I'd like to make about it is that categorizing vulnerabilities is futile. Each one is an egg of unknown potential, a campaign against homogeneity. The CVE-2016-7255 local windows exploit - or as you may know it, the one FANCY BEAR is spamming all over the place these days, requires a visible Window, and has as a primitive an OR of 4 against a place of your choosing. We have a reliable exploit in CANVAS Early Updates <https://immunityinc.com/products/canvas/early-updates.html> (so if you haven't patched, then it's too late? A Philosophical Question for the Ages). -dave P.S. Don't forget to submit a talk to INFILTRATE 2017 <https://opencfp.immunityinc.com/cfp/4/> or vote on the ones there!
_______________________________________________ Dailydave mailing list Dailydave@lists.immunityinc.com https://lists.immunityinc.com/mailman/listinfo/dailydave