Re: [HERT] Advisory #002 Buffer overflow in lsof

[Valdis.Kletnieks () VT EDU (Valdis.Kletnieks () VT EDU)]

--==_Exmh_-806204580P
Content-Type: text/plain; charset=us-ascii

On Thu, 18 Feb 1999 21:41:16 EST, Gene Spafford said:
> People who really want to improve security find ways to avoid hurting victims
> and increase protection.   If there is a problem that is not known and not
> under attack, notifying the vendor and waiting for a valid fix to appear is
> not going to result in anyone being hurt.   Posting an exploit widely for a
> previously unknown problem suddenly opens up all the current users to attack.

Umm.. Gene?  I agree with most of your logic, if you can clear up one
minor sticking point:

How do us white hats determine that a problem isn't already known and
being exploited elsewhere by the black hats?

Remember that security holes are found in only two ways:  during code
auditing, and after a break-in.  Now, if you find it after a break in,
you can safely say it's being exploited in the real world.  However,
if you find it during a code audit, you *don't* have any way to find
out if other people are already getting attacked by it.

Remember that the whole reason that Bugtraq is a full-disclosure list
is because there's an implicit assumption that the black hats already
know about all the holes, and we need to get the information out to
the white hats who don't know yet.

--
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech



--==_Exmh_-806204580P
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.2

iQCVAwUBNs3hDtQBOOoptg9JAQHlwQP/W0bRtbptYNQ6nW8JZe6UTD+nQGJw6418
h0QmFejv5UlYJtGgpR23hUgBizdD4l3L4wk1SRGuDZ89nUfE3X7tYS4GQ1veBYOB
wpy14w3bEgJ1hesbznqay+odEvP6r2ghP0EUoN0xzgMQmhEajExX4XUWqCifbE0o
aVCf37Xu4UM=
=HEsE
-----END PGP MESSAGE-----

--==_Exmh_-806204580P--