Re: LD_PROFILE local root exploit for solaris 2.6

[Valdis.Kletnieks () VT EDU (Valdis.Kletnieks () VT EDU)]

On Fri, 24 Sep 1999 10:00:46 BST, Darren Moffat - Solaris Sustaining Engineering <darren.moffat () SUNUK UK SUN COM>  
said:
> I strongly recommend that people apply the latest recommended and security
> patch sets when testing out security exploits.  That way you won't send
> out information about exploits which have been long fixed and needlessly
> panic people.

Good advice, as far as it goes.  Yes, installing the latest fixes first
before reporting a bug is a Good Idea (since the vendor will say first thing
"Have you installed all the latest fixes?" and it's always good to patch
OTHER problems before they hit).  But....

Something we here on Bugtraq often lose sight of (since we as a group are
preaching to the choir) is that perhaps sometimes panicing the people
is needed.

Remember - the *reason* we keep seeing old long-fixed patches is because
there's machines out there that aren't patched.  Unfortunately, I don't
have a better answer to how to get people to install patches other than
panicing them.

And of course, the people who need panicing aren't Bugtraq subscribers.
Or maybe they are - in which case causing a panic is overall a Good Thing.

--
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

<!-- attachment="bin0a28646" -->
<HR>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>