Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exploits matter.

From: security curmudgeon <jericho () attrition org>
Date: Wed, 7 Oct 2009 18:39:49 +0000 (UTC)

On Wed, 7 Oct 2009, dave wrote:

: This raises an interesting question. What is a "public" exploit? Buying 
: CANVAS costs less than four thousand dollars and is (thankfully :>) a 
: reasonably common thing for companies to have. If a working, 100% 
: reliable exploit is in the hands of the ten thousand people who care, 
: shouldn't that be considered "public"?
: 
: It just seems weird to me that all the news articles on SMBv2 focus so 
: much on whether or not you can download a working version of the exploit 
: over the Internet, when all the people who could actually do anything 
: with it already had it.

Ten thousand or not, I cannot download the exploit from Immunity's web 
site, milw0rm or anywhere else, correct? To me, and to OSVDB who tracks 
that metric, that is flagged as 'rumored/private'.

Can our industry really put a numeric line on public vs private in the 
scenario you describe? Do 9,999 CANVAS customers = private, but 10,000 
CANAVAS customers = public?

.b
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: