This week was Microsoft's monthly patch release and you may have noticed that we didn't blog a list of the released advisories, since you can find them all over the net (here, here or even here). I did, however, want to mention a few things.
One of the things that I wanted to mention was MS08-060, which was discovered by a colleague of mine - Paul Miseiko. Paul discovered this vulnerability while working on another MS Update earlier this year. We worked with the Proof of Concept code for a little while to make sure we didn't waste Microsoft's time by reporting something they'd already fixed. After testing we passed the proof of concept and details along to Microsoft, and now we have a patch.
The reason I wanted to bring this up is actually completely unrelated to Microsoft and Patch Tuesday, and leans more towards Paul's discovery. When I mention I work in security or security research, the first thing people tend to say is, 'Oh, you're a hacker.' In fact, on my way home last night the cab driver asked why I was out so late (working on MS Tuesday of course). I said I was working, and he asked what I did... I said I work with computer security and he immediately said, "So a hacker?". I only mention this because it's a common misconception that occurs in the general public when you put the words 'computer' and 'security' together. I actually find it's similar to a common misconception that occurs within the IT community.
Quite often when I'm speaking to others in the community, be it IT or IS, I'll find myself saying I do security research. A common response is, "So have you found any interesting vulnerabilities lately?" While the general public equates 'security research' or 'computer security' to 'hacking', we tend to equate it to 'vulnerability discovery'. Yet that's not what I do on a daily basis, nor is it what the other members of VERT do. The same is true for many people that perform research on a regular basis (AV Researchers, IDS Signature Developers, etc).
So then, what do we do? If you already know, you might just want to skip to the links at the bottom of the post. For those who don't know what we do every day: I'd like to say we do everything... but that would be a little far-fetched. Some of what we do can be summed up as Vulnerability Detection and Application Feature-printing. However this entails a lot of different things. Reverse engineering and packet analysis are a couple of things that come to mind. That being said we also work extensively with multiple operating systems, perform a fair amount of python development and analyze various protocols.
While vulnerability detection doesn't sound very interesting (compared to say vulnerability discovery or exploit development) it is quite often harder than either of those tasks. One of the key points it to be non-invasive. If you know something is vulnerable and are able to reach the vulnerable code, you can trigger the vulnerability (even if you perform a denial of service, instead of actually performing a buffer overflow, for example). It's much harder to figure out what else has changed between versions of the software. That's how you feature-print the application and based on accurate feature-printing of specific versions of applications, that's one way to identify which versions are vulnerable. This is more than writing a banner check, as banners are quite often hidden or modified, this is about understanding how the application acts on a protocol level.
Since we delve rather deeply into the applications, looking for differences that won't trigger the vulnerability, we find ourselves discovering vulnerabilities such as MS08-060. It isn't our intended focus but when you dig in like we do it's bound to happen.
For those of you that already knew what we did, maybe you picked up something new. For those of you that didn't... now you know.