Penetration Testing mailing list archives
Re: Scanners and unpublished vulnerabilities - Full Disclosure
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 28 May 2002 14:00:16 -0600 (MDT)
On Tue, 28 May 2002, Alfred Huger wrote:
jumping to a visceral conclusion one way or another. The way this impacts the Pen-testing community is that these vulnerabilities which are in the process (presumably) of being fixed are actively being coded into the Typhon II Vulnerability Assessment Scanner from NGSSoftware.
I would suspect this wouldn't have much of an impact on the pen-testing community, but I'll leave it to the professional pen-testers to answer how often the very latest vulnerabilities come into play in their work. My experience coems more from seeing how often really, really old vulnerabilities are used in the wild, and work. This would tend to have to also partially reflect the companies that hire pen-testers, though if they've taken the step to hire someone, that company is at least demonstrating a little more clue. What it boils down to is the rest of us will have the information, just a little later. I suppose part of the controversy is that NGSSoftware is presumably going to benefit from holding back information, i.e. if you want to check for the vulns they found, you have to buy their product. This isn't new, either. A few years ago at a previous employer, I was a licensed user of ISS' Internet Scanner. They had a check for a statd bug (which came to my attention because it was getting positive matches) that I could find no public documentation on. I.e. I was doing an internal penetration test, and having a potential hole, I wanted to go ahead and exploit it fully. Of course the punchline is that I simply pulled out a sniffer, and read the vulnerability details off the wire (it's was a simple .. bug.) So, NGSSoftware customers have full access to the details, no surprise. It should be noted that it's not possible to copyright how a vulnerability works in any way. So, if a NGSSoftware customer wants to leak that info to the public, they are free to do so, unless perhaps the EULA says they can't, in which case, they would just have to do so anonymously. Second, people really can reverse-engineer the problem by diffing patches, source or object. So, anyone who wants the hole can still have it, they just have to spend more time and/or money. Take a look at the recent set of IE holes Microsoft fixed. Several of them were discovered by MS themselves, and I know for a fact that some people outside of MS now know how the holes work. So, I don't see how their policy really changes anything. We'll all still have access to the holes, good guys and bad. Once there is a hint that there's a problem somewhere, it will be ferreted out. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Scanners and unpublished vulnerabilities - Full Disclosure Alfred Huger (May 28)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Ryan Russell (May 28)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Alfred Huger (May 28)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Raju Mathur (May 28)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure R. DuFresne (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Alfred Huger (May 28)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Ryan Russell (May 28)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Pierre Vandevenne (May 28)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Drew (May 28)
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Marc Maiffret (May 28)
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Deus, Attonbitus (May 28)
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Marc Maiffret (May 28)
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Ryan Russell (May 29)
- Message not available
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Deus, Attonbitus (May 29)
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Marc Maiffret (May 28)