Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Publishing exploit code - what is it good for

From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 30 Jun 2005 13:33:57 -0500
 Erick,

How do you plan to mitigate known vulnerabilities in your network
without a POC? I guess you can just assume your systems are vulnerable
and then wait on the vendor to fix it...with your hands tied? I am sure
Microsoft will have that patch out next year for you. 

Exploit code is used by people to mitigate known vulnerabilities where a
patch isn't out yet. It protects people...but it does hurt people. So do
cars..so do guns. But pointing your gun (network) around blind (without
knowing if you are truly vulnerable) is not something a lot of people
want to do.

I have seen public exploit code force a company to fix the issue. You
are right, you have to assume blackhats have the exploit, do you not
want to same tool? To study to make a plan of blocking the attack before
a patch is released.

I remember a couple of IE vulns that were "patched" but security
researchers used modified public exploit code to show that only the
attack vector was patched, not the core problem. Forcing a company to
look deeper into the issue. Everyone is entitled to their own view, just
my 2 cents.


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk 
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
Of Erick Mechler
Sent: Thursday, June 30, 2005 12:37 PM
To: Joachim Schipper
Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com
Subject: Re: [Full-disclosure] Publishing exploit code - what 
is it good for

:: Blackhats may get along with only a handful of exploits, if they're
:: willing to try to find targets to match their collection, but a
:: pentester should have the collection to match the target.
:: 
:: This is doubly true if we're not talking about a dedicated 
pentester,
:: but about a sysadmin with a networking/security background 
who likes to
:: verify that the patches did, indeed, work.

To that I say let the people producing the patches deliver 
the exploit code as a POC that the patches did, indeed, work. 
 Releasing exploit code before the patch is released helps 
nobody except the blackhats.

:: Also, exploits will be distributed, publicly or otherwise 
- doing it in
:: the open means we know what happens when.

You should, as an admin, assume that once a vulnerability is 
released, the exploit has been too, whether you see it 
attached to the vuln announcement or not.

Cheers - Erick
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: