Re: Exploits matter.

[c0lists <lists () carnal0wnage com>]

On Wed, Oct 7, 2009 at 2:39 PM, security curmudgeon
<jericho () attrition org>wrote:

> On Wed, 7 Oct 2009, dave wrote:
>
> : This raises an interesting question. What is a "public" exploit? Buying
> : CANVAS costs less than four thousand dollars and is (thankfully :>) a
> : reasonably common thing for companies to have. If a working, 100%
> : reliable exploit is in the hands of the ten thousand people who care,
> : shouldn't that be considered "public"?
> :
> : It just seems weird to me that all the news articles on SMBv2 focus so
> : much on whether or not you can download a working version of the exploit
> : over the Internet, when all the people who could actually do anything
> : with it already had it.
>
> Ten thousand or not, I cannot download the exploit from Immunity's web
> site, milw0rm or anywhere else, correct? To me, and to OSVDB who tracks
> that metric, that is flagged as 'rumored/private'.

Then perhaps someone should update OSVDB to include "for pay" exploits/tools
as a category just like bugtraq/bid does with comments.

Because all those databases are incomplete it would be nice if "someone"
would start putting that information in their db to say immunity has the
exploit or core impact has the exploit.

there is a big difference (to me) between rumored/private and for pay.

-CG

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave