Bugtraq mailing list archives
Re: Vulnerabilities in some SCADA server softwares
From: Willy Tarreau <w () 1wt eu>
Date: Thu, 24 Mar 2011 12:13:32 +0100
On Wed, Mar 23, 2011 at 02:36:38PM -0400, J. Oquendo wrote:
On 3/23/2011 2:13 PM, Theo de Raadt wrote:If *any* threat exists, that threat is increased by public exposure of unmitigated attack methodologyI think you have it wrong. Public exposure increases the visibility, and therefore customers install the patches quicker. Without public visibility, they will keep running the old code.You're flawed in your response: "Public exposure increases the visibility, and therefore customersinstall the patches quicker." ... When someone "full discloses" a vulnerability, there is no patch to install quicker.
That does not change the fact that the bug might already have been exploited for a long time. Without the disclosure, the vendor has the possibility to guess that it's not the case and take a long time to fix it. After the disclosure, this possibility vanishes and he has to work for a fix. Also, if vulnerabilities were waiting for disclosure to be exploited in such environments, Stuxnet would not have existed *before* Luigi's post, only after. Recent facts have proven you wrong here. Granted now there's emergency and we'll possibly get poor quality patches or workarounds in the first time. At least if some of these vulns are currently actively being exploited, we can expect those exploits to quickly stop from now on. Willy
Current thread:
- RE: Vulnerabilities in some SCADA server softwares, (continued)
- RE: Vulnerabilities in some SCADA server softwares Jim Harrison (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Luigi Auriemma (Mar 23)
- RE: Vulnerabilities in some SCADA server softwares Jim Harrison (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Theo de Raadt (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Simple Nomad (Mar 23)
- Message not available
- Re: Vulnerabilities in some SCADA server softwares Simple Nomad (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Kent Borg (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Theo de Raadt (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Jamie Riden (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Willy Tarreau (Mar 25)
- Re: Vulnerabilities in some SCADA server softwares bugtraq (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares CJC (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Michal Zalewski (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Mike Hoskins (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 24)