Full Disclosure mailing list archives

Re: Bad news on RPC DCOM2 vulnerability

From: Valdis.Kletnieks () vt edu
Date: Sat, 11 Oct 2003 11:20:23 -0400

On Sat, 11 Oct 2003 01:28:40 PDT, Peter King <elvi52001 () yahoo com>  said:

why those *security* sites keep *exploits* online even when they know that this is an unpatched vuln !!!!


(Disclaimer:  I'm explaining the site's logic as I see it.  I may be wrong -
they may just be totally irresponsible and not care at all.  In any case, I'm
not saying I necessarily agree with it, although I'll admit that it takes a
very large cluestick to get some vendors moving....)

Because the vulnerability is in software from a commercial vendor.  This
actually matters.

An open-source package will often get a patch quickly, because the "currency"
of the open-source community is to a large degree pride and recognition.  Holes
get patched quickly because it's embarrassing to have a large hole go
unpatched.

A commercial closed-source vendor isn't there for recognition.  It's there *to
make money*.  Fixing holes *costs* money - as a result, there is a
*dis*incentive to actually fix bugs, unless the number/severity of the bugs are
*so* bad that it starts affecting sales of the product.

You'll notice that Bill Gates made the "First Great Commitment To Security"
speech only after Microsoft software had gotten burnt by Code Red, Nimda, and a
large number of Outlook-based malware.

You'll notice that Ballmer made the "Second Great Commitment To Security"
speech last week only after Microsoft software had gotten whacked by Blaster
and Nachi.

You'll notice that even all that malware put together hasn't been enough to
make them admit the basic code base is screwed and needs to be thrown out and
redone from scratch - because THAT would make a multi-billion dollar hit in
their bottom line.

How fast would Microsoft move, given their choice, if they *didnt* know that
there was an exploit available, and that it was just a matter of time before
the exploit got bolted onto one of the numerous worm sleds already available?

And *that* my friends, is why they make exploits available.

Attachment: _bin
Description:

Current thread:

RE: Re: Bad news on RPC DCOM vulnerability, (continued)
- - RE: Re: Bad news on RPC DCOM vulnerability Macroscape Solutions (Oct 10)
  - Re: Re: Bad news on RPC DCOM vulnerability petard (Oct 10)
    - RE: Re: Bad news on RPC DCOM vulnerability Bobby Brown (Oct 10)
    - RE: Re: Bad news on RPC DCOM vulnerability V.O. (Oct 10)
    - RE: Re: Bad news on RPC DCOM vulnerability Byron Copeland (Oct 10)
    - Re: Re: Bad news on RPC DCOM vulnerability petard (Oct 10)
    - Re: Bad news on RPC DCOM2 vulnerability Peter King (Oct 11)
    - AW: Bad news on RPC DCOM2 vulnerability Florian Keller (Oct 11)
    - Re: Bad news on RPC DCOM2 vulnerability Alex (Oct 11)
    - AW: Bad news on RPC DCOM2 vulnerability Florian Keller (Oct 11)
    - Re: Bad news on RPC DCOM2 vulnerability Valdis . Kletnieks (Oct 11)
  - Re: Re: Bad news on RPC DCOM vulnerability Vladimir Parkhaev (Oct 10)
    - Re: Re: Bad news on RPC DCOM vulnerability V.O. (Oct 10)
  - Re: Re: Bad news on RPC DCOM vulnerability Irwan Hadi (Oct 10)
  - RE: Re: Bad news on RPC DCOM vulnerability Matthew D. Lammers (Oct 10)
- RE: Re: Bad news on RPC DCOM vulnerability Dimitri Limanovski (Oct 10)
- RE: Bad news on RPC DCOM vulnerability VigilantMinds Security Operations Center (Oct 10)
- RE: Re: Bad news on RPC DCOM vulnerability Mike Gordon (Oct 12)
  - Re: RE: Re: Bad news on RPC DCOM vulnerability Paul Tinsley (Oct 12)
    - RE: RE: Re: Bad news on RPC DCOM vulnerability Mike Gordon (Oct 12)
  - Re: RE: Re: Bad news on RPC DCOM vulnerability Alex (Oct 12)

(Thread continues...)