Bugtraq mailing list archives
Re: [HERT] Advisory #002 Buffer overflow in lsof
From: weld () L0PHT COM (Weld Pond)
Date: Fri, 19 Feb 1999 16:18:32 -0500
On Thu, 18 Feb 1999, Gene Spafford wrote:
Yes, some software could be written better. Yes, some vendors may do a poor job of responding to reports. Still, posting attacks or vulnerabilities that are in not in general knowledge and are not being actively exploited and *before* the vendor has been given a chance to respond is not being part of the solution. It is arrogance or showing off.
Before full disclosure became more of the norm, we lived in a world where vendors sat on problems for many months. When bugs were reported questions such as, "do our customers know about this problem?" were asked. It was clear that the fewer people who knew about the problem the longer it would take to be fixed. It was only when many customers knew about the problem that vendors would snap into action. The other problem with a world where vendors can expect to be notified first is they can be reactive about security instead of proactive. They can wait for the "nice guys" to find the problems and cross their fingers that the "bad guys" aren't running rampant through their customers "secure" systems. The full disclosure method has forced many vendors to be more procactive about security and that is a good thing. I would say that full disclosure has raised the quality of shipping products and shortened the time between problem discovery and vendor fix. The most important aspect of full disclosure though is that the user is informed. Some users are able to take protective measures without the need to wait for a vendor fix. This lets the user make decisions based on as much information about his or her security posture that is available. The user is not beholden to the whims of release schedules, corporate public relations or the financial standing of the vendor.
People who really want to improve security find ways to avoid hurting victims and increase protection. If there is a problem that is not known and not under attack, notifying the vendor and waiting for a valid fix to appear is not going to result in anyone being hurt. Posting an exploit widely for a previously unknown problem suddenly opens up all the current users to attack.
I agree that someone posting an exploit should also post a fix if they are able to determine one. Sometimes it is not possible due to lack of source code or the nature of the problem. But getting the information out there may enable another member of the community to supply a fix that even the vendor may not have thought of. -weld
Current thread:
- [HERT] Advisory #002 Buffer overflow in lsof, (continued)
- [HERT] Advisory #002 Buffer overflow in lsof Anthony C . Zboralski (Feb 17)
- [SECURITY] New versions of super fixes two buffer overflows joey () FINLANDIA INFODROM NORTH DE (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Vic Abell (Feb 18)
- Tetrix 1.13.16 is Vulnerable Steven Hodges (Feb 17)
- Re: Tetrix 1.13.16 is Vulnerable Pavel Machek (Feb 19)
- ADMsnmp SNMP Audit scanner root (Feb 17)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Theo de Raadt (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
- IE0199.exe uninstaller David Brumley (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Weld Pond (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Valdis.Kletnieks () VT EDU (Feb 19)
- Plaintext Password in Tractive's Remote Manager Software Trevor Gryffyn (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Peter W (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof John DiMarco (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof brian j pardy (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Greg Woods (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof route () RESENTMENT INFONEXUS COM (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Fred W. Noltie Jr. (Feb 19)
- Call to politeness (Re: [HERT] Advisory #002 Buffer overflow in alecm (Feb 19)
- pine 4.10 patches (similar to 4.05) GvS (Feb 20)