RE: RE:

["Drew Copley" <dcopley () eEye com>]

> -----Original Message-----
> From: Blue Boar [mailto:BlueBoar () thievco com] 
> Sent: Thursday, July 01, 2004 12:51 PM
> To: Drew Copley
> Cc: Robin Landis; bugtraq () securityfocus com; 
> full-disclosure () lists netsys com; ntbugtraq () listserv ntbugtraq com
> Subject: Re: [Full-disclosure] RE:
>
> Drew Copley wrote:
> > > I contend that the fact that the very same people are 
> > > reporting bugs does not mean that they are the only ones 
> > > finding them.  Nor does it mean that only an expert might 
> > > find them.  Nor does it mean that all experts would be 
> > > inclined to report them.
> >
> > Great. Based on what evidence.
>
> Didn't a couple of the recent IE holes come to light because 
> they were 
> first publically found in the wild?
>
>                                       BB

There has been one true zero day in IE. 

This was the recent spyware issue, later converted to work
for some credit card scammers in Scob.

There was a substantial zero day in IIS. The webdav bug, which
was found when it was being used to attack military systems.

The zero day in IE, utilized known vulnerabilities to work,
without it, it could not have worked. That is out of several
years of many people - and many talented people - pounding
it.

The IE zero day issue is not surprising because IE researchers
receive and have received a lot of large money offers in
the recent past. 

The webdav issue used exploit code which is extremely similiar
to exploit code found by some of the best Chinese hackers
on the planet.

None of these are people outside of the social circles of
other security researchers.












_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html