Full Disclosure mailing list archives
RE: Publishing exploit code - what is it good for
From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 30 Jun 2005 13:33:57 -0500
Erick, How do you plan to mitigate known vulnerabilities in your network without a POC? I guess you can just assume your systems are vulnerable and then wait on the vendor to fix it...with your hands tied? I am sure Microsoft will have that patch out next year for you. Exploit code is used by people to mitigate known vulnerabilities where a patch isn't out yet. It protects people...but it does hurt people. So do cars..so do guns. But pointing your gun (network) around blind (without knowing if you are truly vulnerable) is not something a lot of people want to do. I have seen public exploit code force a company to fix the issue. You are right, you have to assume blackhats have the exploit, do you not want to same tool? To study to make a plan of blocking the attack before a patch is released. I remember a couple of IE vulns that were "patched" but security researchers used modified public exploit code to show that only the attack vector was patched, not the core problem. Forcing a company to look deeper into the issue. Everyone is entitled to their own view, just my 2 cents.
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Erick Mechler Sent: Thursday, June 30, 2005 12:37 PM To: Joachim Schipper Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: Re: [Full-disclosure] Publishing exploit code - what is it good for :: Blackhats may get along with only a handful of exploits, if they're :: willing to try to find targets to match their collection, but a :: pentester should have the collection to match the target. :: :: This is doubly true if we're not talking about a dedicated pentester, :: but about a sysadmin with a networking/security background who likes to :: verify that the patches did, indeed, work. To that I say let the people producing the patches deliver the exploit code as a POC that the patches did, indeed, work. Releasing exploit code before the patch is released helps nobody except the blackhats. :: Also, exploits will be distributed, publicly or otherwise - doing it in :: the open means we know what happens when. You should, as an admin, assume that once a vulnerability is released, the exploit has been too, whether you see it attached to the vuln announcement or not. Cheers - Erick _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Publishing exploit code - what is it good for, (continued)
- Re: Publishing exploit code - what is it good for KF (lists) (Jun 30)
- RE: Publishing exploit code - what is it good for James C Slora Jr (Jun 30)
- Re: Publishing exploit code - what is it good for Thomas Reinke (Jun 30)
- Re: Publishing exploit code - what is it good for John Madden (Jun 30)
- Re: Publishing exploit code - what is it good for Skip Carter (Jun 30)
- Re: Publishing exploit code - what is it good for Damian Menscher (Jun 30)
- RE: Publishing exploit code - what is it good for Glenn.Everhart (Jun 30)
- Re: Publishing exploit code - what is it good for Joxean Koret (Jun 30)
- RE: Publishing exploit code - what is it good for Matt Huston (Jun 30)
- Re: Publishing exploit code - what is it good for John Horn (Jun 30)
- RE: Publishing exploit code - what is it good for Todd Towles (Jun 30)
- RE: Publishing exploit code - what is it good for Marvin Simkin (Jun 30)
- Re: Publishing exploit code - what is it good for Raghu Chinthoju (Jun 30)
- RE: Publishing exploit code - what is it good for Michael Evanchik (Jun 30)