Full Disclosure mailing list archives
RE: Publishing exploit code - what is it good for
From: Socrates <socrates () newsguy com>
Date: Thu, 30 Jun 2005 22:40:42 -0500
I for one am glad to see PoC code. Too often vendors are very vague with their patchsets (Oracle basically says to install a huge tarball to fix 'critical' vulnerabilities without listing exactly what it fixes and the recent Backup Exec vulnerability had a later patch version available for a different unrelated problem than the published advisory for the agent password overflow - you had to read three different advisories to find out if the later patchset had the fix - it did, even then it was a crap shoot). Given the lack of disclosure from the vendors, I like to have PoC code available to test if the patch really was applied correctly (and was the correct one). Don't forget the instances when either a patch silently fails, or if you are a security admin, don't trust that the admins really patched all of their machines. I would forgo most PoC codes if vendors would *exactly* explain what was in their patchsets (and provided a way to test for the existence of easily) and what they addressed without these matrix's of different versions of their product cross-referenced to a simple 'critical' reference. Even as vague as MS announcements are, they are still one of the better disclosing vendors when it comes to their announcements.
Then again, I like to learn from the PoC code to further my knowledge as how the inner workings of programs work and how much of a poor job someone did while coding it.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Publishing exploit code - what is it good for Curt Sampson (Jul 01)
- <Possible follow-ups>
- RE: Publishing exploit code - what is it good for Socrates (Jul 01)
- RE: Publishing exploit code - what is it good for Morales, David (Seta) (Jul 01)
- Re: Publishing exploit code - what is it good for Joachim Schipper (Jul 01)
- Re: Publishing exploit code - what is it good for ChayoteMu (Jul 02)
- RE: Publishing exploit code - what is it good for Harry Metcalfe (Jul 02)
- RE: Publishing exploit code - what is it good for wnorth (Jul 05)
- Re: Publishing exploit code - what is it good for Lionel (Jul 06)