Hacker News new | past | comments | ask | show | jobs | submit login

It's not a niche edge case, there is an entire industry that revolves around securing BYOD devices. If I bring a compromised device on your network and it uses some rdp flaw to access another machine it's gotten a foothold in the network where it could spread further. I don't need code execution from an existing internal resource.

And yes, security is a layered approach. That's why we recognize that the internet isn't the only threat vector out there.

Edit: Why wouldn't you patch internal servers for this anyway? Let's say there is an existing threat with code execution like you say. Now he can trivially access all machines on the network because they share a common vulnerability. At least make him work for it.




> If I bring a compromised device on your network

Then I'm in real trouble with or without this. A compromised device can sniff the network, masquerade, inject network traffic (inc. DNS), and can attack every other device on that same segment.

> I don't need code execution from an existing internal resource.

If you cannot execute code in an internal context then you cannot exploit this bug, you'd effectively be an external attacker. Your own example had you running code on a locally connected "BYOD" device. Therefore you're already executing code in that context.

> Why wouldn't you patch internal servers for this anyway?

Nobody suggested that. In fact quite to the contrary.

By the way while we're discussing niche edge cases, what's your strategy to protect against Van Eck phreaking? Seems about as concrete as the attack vector you're proposing (local network access with no way to execute code).


Okay I think I've either poorly communicated or you've misconstrued what I meant. All I was trying to imply was that threats can surface within the network. I'm not saying some magic will take advantage of the exploit with no connection to the target's network. You said

"If they're attacking you from an internal vector they likely already have code execution within that internal context, making this bug largely redundant."

I was disagreeing that this is redundant. This vulnerability is a remote code exploit that could give an attacker control over the target just by sending a specially crafted packet. It is not some Apache misconfiguration affecting a couple servers, it's baked into all versions of Windows.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: