Re: Detecting vulnerabilities to write exploits

[Joshua <theanathema () gmail com>]

On point 2 I must beg to differ. In many cases this is the only way to 
force a company to make the appropriate updates to their product. If you 
propose that we wait until a company releases a patch, then we may as 
well wait until all users everywhere have downloaded and installed said 
patch. Many vulnerabilities can lead to the discovery of others. I would 
much rather that any additional holes, or exploit methods are found 
prior to the patch for a few reasons.

1. A company is less likely to revisit an issue if they feel they have 
addressed it in a capacity to placate the average end user.

2. Better to have the knowledge on what to avoid (in specific) to better 
answer questions from those less technically inclined.

3. Its more fun...

ahmad mubarak wrote:
> there are diifferent ways:
>
> 1 - vendors always announcing about the vulnerabilities before
> releasing the patches such as the  Oxy-morons (Microsoft)
>
> 2 - bad behaviour of Security Response Teams by Making such tools
> publicly available when there's no vendor patch available is
> irresponsible. Plain and simply irresponsible. Everybody associated in
> making and publishing the exploit knows this. And they should know
> better. Moore, A.S, San and FrSIRT: you should know better.
> http://www.f-secure.com/weblog/archives/archive-012006.html#00000758
>
>
>
>
> On 30 Dec 2005 09:47:17 -0000, neelima_2sha () yahoo com
> <neelima_2sha () yahoo com> wrote:
>
> > Hi All,
> >
> >
> > This is something very basic to start with the exploit writing. Can anyone let me know these queries:
> >
> > How do you detect the vulnerability to write a exploit for this?
> >
> > Basically i want to know that how do u find in any code of program that there is buffer overflow or any other kind of 
> > vulnerability existing?
> >
> > How will analyse this to start writing the exploit with respect to this vulnerability?
> >
> > I hope the query is clear.
> >
> > Regards,
> > Neelima Sharma
> >
> > ---------------------------------------------------------------------------
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The Norwich University program offers unparalleled Infosec management
> > education and the case study affords you unmatched consulting experience.
> > Tailor your education to your own professional goals with degree
> > customizations including Emergency Management, Business Continuity Planning,
> > Computer Emergency Response Teams, and Digital Investigations.
> >
> > http://www.msia.norwich.edu/secfocus
> > ----------------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Tailor your education to your own professional goals with degree 
> customizations including Emergency Management, Business Continuity Planning, 
> Computer Emergency Response Teams, and Digital Investigations. 
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------