Full Disclosure mailing list archives
The role of explicit advisories (was: MS03-039 has been released - critical)
From: l8km7gr02 () sneakemail com
Date: Thu, 11 Sep 2003 09:16:57 -0400
> Marc Maiffret: >
Just to cut off any stupid debate, that I promise anyone stepping to will lose... ;-) Giving details of where a flaw is does not make exploits/worms happen any more often. The "bad guys" do not need details in order to write exploits and worms. That is apparent when you look at the first RPC flaw and how NO details were released yet an exploit and worm were. However, with details, we can all audit our networks for the flaws, to know systems we need to fix, and setup IDS/IPS systems to monitor for attackers, whereas we couldn't without details. Also, we can check to make sure vendors did not (yet again) screw up and release a patch that does not truly fix a system.
Hi Marc, You and your ilk obviously have to field accusations like the above frequently, but repetition doesn't necessarily make something true. Yes, even without cookbooks, master chefs can and do create extravagant desserts -- but the rest of us novice bachelors just sort of stumble around making a mess. Would you say that the majority of viruses/worms are written by masters or novices? *Of course* explicit advisories help in the creation of exploits. To claim otherwise flies in the face of reality. Aren't well-documented libraries infinitely more useable than obscure, undocumented code? The caveat is, as you mention, explicit advisories also help admins audit our own networks *and* light a fire under the vendors to get a fix out immediately. I'd wager just about everyone on this list would agree that the benefits of detailed advisories greatly outweigh the costs -- but it's a bit naive to suggest that there /are no costs/. Take another look at eEye's AD20030910 advisory and reconsider from the perspective of a young black-hat. That said, both Full-Disclosure and eEye are infinitely valuable resources for the good guys. Keep up the great work. take care, Cael _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MS03-039 has been released - critical Ryan, Pete (Sep 10)
- Re: MS03-039 has been released - critical Exibar (Sep 10)
- Re: MS03-039 has been released - critical Mike Tancsa (Sep 10)
- Re: MS03-039 has been released - critical Exibar (Sep 10)
- Re: MS03-039 has been released - critical Exibar (Sep 10)
- Re: MS03-039 has been released - critical Exibar (Sep 10)
- SV: MS03-039 has been released - critical Peter Kruse (Sep 10)
- RE: MS03-039 has been released - critical Marc Maiffret (Sep 10)
- RE: [inbox] RE: MS03-039 has been released - critical Exibar (Sep 10)
- RE: [inbox] RE: MS03-039 has been released - critical Jade E. Deane (Sep 10)
- Re: MS03-039 has been released - critical Mike Tancsa (Sep 10)
- The role of explicit advisories (was: MS03-039 has been released - critical) l8km7gr02 (Sep 11)
- Re: MS03-039 has been released - critical Exibar (Sep 10)
- Re: MS03-039 has been released (DoS) sploit ? Elv1S (Sep 10)
- Re: Re: MS03-039 has been released (DoS) sploit ? Yannick Van Osselaer (Sep 10)
- RE: [inbox] Re: MS03-039 has been released (DoS) sploit ? Exibar (Sep 10)
- <Possible follow-ups>
- RE: MS03-039 has been released - critical Robert Ahnemann (Sep 10)
- RE: MS03-039 has been released - critical Anthony Aykut (Sep 10)
- Re: MS03-039 has been released - critical Exibar (Sep 10)
- RE: MS03-039 has been released - critical pdt (Sep 10)
- RE: MS03-039 has been released - critical Schmehl, Paul L (Sep 10)