Re: Internet Explorer 0day exploit

[Chris Stromblad <cs () outpost24 com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Bigby Findrake wrote:
> On Wed, 18 Jul 2007, Chris Stromblad wrote:
>
> <deletia>
>
> > One more thing about "advisories". I think it would be better to release
> > them immediately and let people know what they are facing. With public
> > dissemination of a vulnerability perhaps someone will release a 3rd
> > party patch or another inventive way of protecting oneself. Holding it
> > "secret" really doesn't help anyone.
>
> With regards to your last statement, I would like to believe that that's
> so, or at least that if there is some harm in "early release" of
> information that that harm is mitigated (if not outright outweighed) by
> the potential good that's done by alerting the community and thereby
> allowing them to develop their own responses.

Exactly. Why is it that many people seem to agree that it's less likely
that something bad will happen if information is not disclosed. I'd say
it's an equal, if not bigger, chance that something good happens. It's
all about proportions really. There is likely more "good" people out
there than "bad". If x % of the good guys look at it, they will likely
count for a higher number of people as compared to an equal % x of the
bad. So, yes... I believe that immediate information disclosure about a
bug is better. It shortens the exposure window and it certainly does put
more pressure on the vendor to come up with a patch.

> I guess what we're really talking about here is the perceived potential
> negative impact of letting the bad guys know that a vulnerability exists
> in space X (that they might then attempt to exploit where without that
> knowledge, they wouldn't try to exploit it even if it could be argued
> that they would attempt to find it) vs. the perceived potential good of
> allowing the good guys to attempt to formulate their own defenses
> tangential to some sort of "official" response.
>
> It seems to me that without metrics (how many early release advisories
> turned into exploits that wouldn't have been created without said
> advisory?) that all discussion on this topic is either philosophical or
> academic (which is not to imply "without merit").

Yeah, let's stay away from speculation and assumptions for now.

> > Anyways, enough ranting.
>
> I, for one, enjoyed your rant.

Well thank you, perhaps I should do it more often.

> -- Making files is easy under the UNIX operating system.  Therefore,
> users
> tend to create numerous files using large amounts of file space.  It
> has been said that the only standard thing about all UNIX systems is
> the message-of-the-day telling users to clean up their files.
>                -- System V.2 administrator's guide
>
> finger://ephemeron.org/bigby
> http://www.ephemeron.org/~bigby/
> irc://irc.ephemeron.org/#the_pub
> news://news.ephemeron.org/alt.lemurs

/ Chris

- --
Chris Stromblad (CEH)
Security Engineer
Outpost24 UK

90 Long Acre
Covent Garden
London, WC2 E9RZ

- -------------------------
Tel: +44 (0) 207 849 3097
Dir: +44 (0) 208 099 6595
Fax: +44 (0) 207 849 3140
- -------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGnnVJ+CG0a/ZJxn8RAmTsAKDRcGi+6jyPpWQofxyaWaOjg2w33gCfSWTj
MHqg5Up5AvwBIvcWc0Lbj70=
=K9KH
-----END PGP SIGNATURE-----