I must agree, considering i have yet to see it used in even botnet circles, who would surely have used a decent local exploit if it was 'decent'... I know this dll hijacking, has gone unpassed to the community in general because of its useless ness. I agree completely, i never have seen this actively exploited, nor part of a decent framework where it can be used in a remote or local session Basically, it is something to wich i read the PDF on, and thought "here is the most useless 'exploit' as it was being called , i have ever, laid eyes on" , my opinion still has yet to be changed by any factor, there could be many factors, ie: exploitation even in the wild reported, or just someone saying "hey dont forget blah.c!" , but this aint happened, nor will... "hey wanna read msdn and look and see how a lib is loaded" would make more sense. I still dont see anything 'good' in this whole fiasco of the dll hijacking. no active code/poc. etc etc etc.... as i said, many factors id reconsider my stance on... anyhow, enjoyable topic. xd
On 3 September 2011 11:03, Mario Vilas <[email protected]> wrote: > I disagree. If this so called "vulnerability" had any added value in terms > of social engineering, it would actually make sense to report it. Social > engineering isn't "bad", I really don't care how "leet" it is. My claim is > simpler: this advisory makes no sense at all, because it replaces an easy > way of exploitation for a hard way of exploitation, so its added value is > actually *negative* for the attacker. > > Most likely whoever found this is new in the infosec world and never > stopped to consider this details - he/she just blindly repeated what the dll > injection crowd was doing and posted whatever results were found, without > understanding really well what was going on. > > And THAT is the state of infosec today. People who report stuff for the > sake of reporting, without really understanding how things work or why. > > On Fri, Sep 2, 2011 at 11:46 PM, <[email protected]> wrote: > >> On Fri, 02 Sep 2011 20:55:35 -0000, "Thor (Hammer of God)" said: >> >> > LOL. "Warning, if you get the user to execute code, then it is possible >> to >> > get the user to execute code!! All you have to do is get files on their >> > system, and then get them to execute those files! Note that once you >> get the >> > user to execute the code, it will actually run in the context of that >> user!! >> > This is remote code execution vulnerability!" >> >> > Welcome to today's Infosec! >> >> The sad part is that this is the future of infosec as well. Microsoft got >> the >> security religion a few years back, and even I have to admit their current >> stuff >> isn't that bad at all. The various Linux distros are (slowly) getting >> their >> acts together, and maybe even Apple and Adobe will see the light sometime >> reasonably soon. Yes, there will still be software failures - but once the >> effort >> of finding a new 0-day reaches a certain point, the economics change.... >> >> And once that happens, social engineering will become an even bigger part >> of >> both the attack and defense sides of infosec. For the black hats, the >> cost/ >> benefit of looking for effective 0-day holes will continue to drop, while >> the >> cost/benefit of phishing a user will remain steady - so that's a push >> towards >> more social engineering. Why go to the effort of spending 3 months finding >> a >> browser bug that allows you to push malware to the victim's machine, when >> you >> can just spend 45 minutes creating a "Your machine is infected - click >> here to >> fix it" pop-up that will catch 80% of the people? >> >> Meanwhile, as the software gets more hardened and patching is more >> automated, >> the white hats will find a bigger percent of their time is spent defending >> their systems from attacks triggered by their own users. Because the >> failure >> rate of people's brains is already about 4.7*10**9 times as high as the >> software failure rate, and the ratio is only getting worse - software is >> improving, people aren't. >> >> Prediction 1: 10 years from now, organized crime will be hiring cognitive >> psychologists to help design more effective phish the way they currently >> hire >> programmers to write better spambots. >> >> Prediction 2: It ain't gonna get better till the average IQ starts going >> up faster >> than the software improves. >> >> > > > -- > “There's a reason we separate military and the police: one fights the enemy > of the state, the other serves and protects the people. When the military > becomes both, then the enemies of the state tend to become the people.” > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
