Useful items to
report might include
??? Severity of the problem. Is remote or local code execution possible or likely to
be possible?
??? Description of the exact structure of inputs that cause the problem.
??? Reference to the exact code locations, including function names if known, at
which the problem occurs.
??? Does the problem appear to be application specific, or is the problem buried in
a shared library routine?
??? Did you discover any ways to mitigate the problem? This could be in the form
of a patch, or it could be a system configuration recommendation to preclude
exploitation while a solution is being developed.
Chapter 18: From Vulnerability to Exploit
479
PART IV
This page intentionally left blank
CHAPTER19 Closing the Holes:
Mitigation
??? Reasons for securing newly discovered vulnerabilities
??? Options available when securing vulnerabilities
??? Port knocking
??? Migration
??? Patching vulnerable software
??? Source code patching considerations
??? Binary patching considerations
So, you have discovered a vulnerability in a piece of software. What now? The disclosure
debate will always be around (see Chapter 3), but regardless of whether you disclose in
public or to the vendor alone, there will be some time that elapses between discovery of
a vulnerability and release of a corresponding patch or update that properly secures the
problem.
Pages:
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840