所謂0day漏洞便是作業系統廠商尚未推出修補程式,在這次攻擊手法中,幾乎所有版本IE瀏覽器在攻擊發生時皆受影響,且經過測試各家防毒軟體的偵測能力,大部分防毒軟體皆無法偵測該植入的後門程式,對於使用者的威脅指數非常巨大。我想大概是因為 MS 的程式是封閉源碼的,所以只能用 Black-box 來進行 Fuzzing 的動作,這點防毒軟體實驗室實在不比坊間駭客來得有優勢(其實就是黑帽與白帽的相互較勁),加上那些大廠規定假如發現重大威脅都不能隨便公報(不能公報沒成就感阿...),因為正式的 Advisor 都有跟他們簽署 NDA(Non-Disclosure Agreement) 保密協議,我想多數人如果有找到弱點通常都先丟黑市賣錢吧!現在有看到 Exploit 幾乎都是被玩好幾手,玩到 Vendor 有心力 Handle 之後才會丟出來,如此以求能縮短蔓延時期的時間長度。
迷:如果真的都有簽署 NDA 的話,我覺得應該會先自由心證(內心的自我抗戰!),然後才決定是否告知 Vendor 一聲,所以把 NDA 的定義套用在這裡也似乎覺得荒謬:
A non-disclosure agreement (NDA), also known as a confidentiality agreement, confidential disclosure agreement (CDA), proprietary information agreement (PIA), or secrecy agreement, is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to by third parties. It is a contract through which the parties agree not to disclose information covered by the agreement.Vendor: You must promise DO NOT leak any information but keep it confidential.
And then, Advisor told the third party similar word again.
And and then, the third party applied the same policy on the fourth party.
And*N then, ……
Thus, the proverb goes, “Bad news has wings”.
1 comments:
好複雜唷 = =
看不太董呢...
Post a Comment