undefined | Better HN

0 pointsdan_manges13y ago0 comments

Knowing that there is a vulnerability might motivate them to look for it, but given the size of the software, I doubt they'll be able to find it without knowing more.

0 comments

jfim13y ago

You'd be surprised; on Windows, at least, there are people who reverse engineer the security patches from Microsoft in order to determine the initial vulnerability[1].

[1] http://www.phreedom.org/presentations/reverse-engineering-an...

Edit: Misinterpreted your post. You're right, it's unlikely that they'll guess where it is until a patch comes out.

rosser13y ago

Because there are enough people running Windows who haven't applied the patch that figuring out how to exploit it is a worthwhile undertaking.

Then again, IME of many years as a PostgreSQL DBA, the vast, overwhelming majority of postgres shops aren't running anywhere near the latest release, so depending on how far back this vulnerability goes, there could be a very large number of exploitable targets...

mixedbit13y ago

The knowledge may also motivate them to prepare for attacks to be executed once the vulnerability is public but most instances do not have it patched. Scan the Internet for PG backed applications, identify high profile ones, prepare automatic scripts, etc.

zalew13y ago

> Scan the Internet for PG backed applications, identify high profile ones, prepare automatic scripts, etc.

it rather works like:

- take exploit

- spread it over the whole internet and calls home where it sticks

j / k navigate · click thread line to collapse