Full Disclosure mailing list archives

When do exploits get used?

From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 22 Mar 2004 13:46:43 -0600

--On Monday, March 22, 2004 05:04:43 PM +0000 Ben Laurie<ben () algroup co uk> wrote:


Note: I changed the subject to more accurately reflect the discussion.


This is foolish thinking.  Do you really think that, when a patch comes
out, *then* the hackers start working on exploits?  The exploits were
being used *long* before the patch comes out.  The only thing a patch
gets you is protection against *future* hack attempts against *that*
weakness.


This is demonstrably not true - it depends who finds the problem.

So, it's not true, except it depends?  Then it is true.

Not *every* exploit comes out after a patch is released, but it's a factthat *some* exploits are in use long before a "researcher" reports them toa vendor and/or a patch comes out.

To think otherwise is foolish, as I said. If one isn't paranoid, oneprobably doesn't belong in the security field. If you're sitting backthinking you're safe because you're patched and you patch quickly, thenyou're unalert and exposed.


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Operating Systems Security, "Microsoft Security, baby steps" Todd Burroughs (Mar 18)
- Re: Operating Systems Security, "Microsoft Security, baby steps" Florian Weimer (Mar 18)
  - Re: Operating Systems Security, "Microsoft Security, baby steps" Mark J Cox (Mar 18)
- Re: Operating Systems Security, 'Microsoft Security, baby steps' Daniele Muscetta (Mar 18)
- RE: [inbox] Operating Systems Security, "Microsoft Security, baby steps" Curt Purdy (Mar 18)
- <Possible follow-ups>
- RE: Operating Systems Security, "Microsoft Security, baby steps" Schmehl, Paul L (Mar 18)
  - RE: Operating Systems Security, "Microsoft Security, baby steps" Todd Burroughs (Mar 18)
    - RE: Operating Systems Security, "Microsoft Security, baby steps" Luke Scharf (Mar 19)
  - Re: Operating Systems Security, "Microsoft Security, baby steps" Nico Golde (Mar 19)
  - Re: Operating Systems Security, "Microsoft Security, baby steps" Ben Laurie (Mar 22)
    - When do exploits get used? Paul Schmehl (Mar 22)
    - Re: When do exploits get used? Luke Scharf (Mar 22)
    - Re: When do exploits get used? Jay Beale (Mar 22)
    - Re: When do exploits get used? Luke Scharf (Mar 22)
    - RE: When do exploits get used? Bill Royds (Mar 22)
    - Message not available
    - RE: When do exploits get used? Michael Cecil (Mar 22)
    - Re: When do exploits get used? Luke Norman (Mar 24)
    - Re: When do exploits get used? Jay Beale (Mar 23)
    - Re: When do exploits get used? Luke Scharf (Mar 22)
    - Re: When do exploits get used? Dave Aitel (Mar 22)