undefined | Better HN

0 pointsstaticassertion4y ago0 comments

> What should they do instead?

When someone submits a patch for a vulnerability label the commit with that information.

> You have to rush to patch in any case.

The difference is how much of a head start attackers have. Attackers are incentivized to read commits for obfuscated vulns - asking defenders to do that is just adding one more thing to our plates.

That's a huge difference.

> the logical step is that it doesn't require immediate action when the label is not there.

So I can go about my patch cycle as normal.

> Never mind that the bug might actually be exploitable but undiscovered by white hats.

OK? So? First of all, it's usually really obvious when a bug might be exploitable, or at least it would be if we didn't have commits obfuscating the details. Second, I'm not suggesting that you only apply security labeled patches.

0 pointsstaticassertion4y ago0 comments

> What should they do instead?

When someone submits a patch for a vulnerability label the commit with that information.

> You have to rush to patch in any case.

The difference is how much of a head start attackers have. Attackers are incentivized to read commits for obfuscated vulns - asking defenders to do that is just adding one more thing to our plates.

That's a huge difference.

> the logical step is that it doesn't require immediate action when the label is not there.

So I can go about my patch cycle as normal.

> Never mind that the bug might actually be exploitable but undiscovered by white hats.

0 comments

6 comments · 3 top-level

sirdarckcat4y ago· 2 in thread

for what is worth, the link gregkh pointed you to explains the answer for your first 2 points.

Your last point is wrong. Simple example, which of the following thousand bugs are exploitable? https://syzkaller.appspot.com/upstream

If you can exploit them, you can earn 20,000 to 90,000 USD on https://google.github.io/kctf/vrp

staticassertionOP4y ago

I've read the post before, I've seen the talk, and frankly it's been addressed a number of times. It's the same silly nonsense that they've been touting for decades ie: "a bug is a bug".

bombcar4y ago

They don’t need to label it security even, just a “upgrade now, upgrade soon, upgrade whenever”.

But they clearly don’t want nor care about making that call (and even more clearly basically expect everyone to run the latest kernel at all times (and if you run into a bug there no doubt you’ll be told to not run the latest kernels).

roddux4y ago· 1 in thread

Don't know why your other comment got downvoted. Silently patching bugs has left many LTS kernels vulnerable to old bugs, because they weren't tagged as security fixes. Also leads to other issues..: https://grsecurity.net/the_life_of_a_bad_security_fix

staticassertionOP4y ago

Not just downvoted. Flagged lol

hvidgaard4y ago

I think you missed my point. Attackers will go through commits regardless of a "Security Patch" tag.

But going about your normal patch cycle as normal for things not labelled "Security Patch", just means if the patch for some reason should have been tagged but wasn't, you're in the same situation.

I do see the value in your approach, but it just does not change anything for applications where security is top priority.

j / k navigate · click thread line to collapse