Here's a retrospective of the BlueKeep forecast. Most important: What is factoring into the "in the wild" delay?https://medium.com/@magoo/revisiting-the-bluekeep-forecast-150cbbee3458 …
-
-
Replying to @Magoo
My current take on this is that the nature of opportunistic reuse of Windows vulnerabilities has changed. "Patch Tuesday, exploit Wednesday" no longer holds in any general sense. Rather, attackers seem to prefer one of two possible "ideal" situations for 1-day campaigns...
2 replies 1 retweet 10 likes -
Replying to @benhawkes @Magoo
1) They're waiting for bugs that require only a small amount of additional research and development to exploit reliably -- design flaws and logic bugs, or other easily exploitable conditions (c.f. CVE-2018-0802 where there was no DEP and ASLR was weak).
1 reply 0 retweets 1 like -
Replying to @benhawkes @Magoo
or 2) They're waiting for a fully developed and reliable exploit to be leaked, most typically when a targeted exploit attempt using 0day is detected. No additional R&D required, and the social proof is high!
1 reply 0 retweets 1 like -
Replying to @benhawkes @Magoo
This is just an observation made by working backwards from the CVEs show up most regularly in 1-day attacks. But anyway, since BlueKeep matches neither of these criteria, based on this model I wouldn't anticipate immediate and widespread 1-day activity.
1 reply 0 retweets 2 likes -
Replying to @benhawkes @Magoo
At some level it makes sense -- the set of people with the capability to "productize" a bug report (or binary patch) to a good exploit (in 2019) AND with the motivation to use it in a 1-day campaign is going to be pretty small.
1 reply 0 retweets 1 like
And anyone with this sort of technical capability will normally have a much more attractive path available to them: find and exploit 0day.
-
-
Replying to @benhawkes
Thanks! I've linked your discussion. Hoping others will chime in as well from other points of view.
0 replies 0 retweets 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.