Re: Amazon, MSN vulns and.. Yes, we know! Mostsites have vulnerabilities

[Jason <security () brvenik com>]

David Taylor wrote:
> I surely didn't intend for this thread to end up going in the direction it
> did.  I was basically just trying to say I am concerned with the numerous
> advisory/exploit release on the same day.  No matter what the reason.  And
> perhaps there still isn't a definition of 0-day that everyone agrees on.  I
> basically understand it the way wikipedia has it listed.

There are several interpretations of 0-day but the basic theme is that
an 0-day is better than a NO-day. For the normal people in the world
that simply want to be able to go to work and make some money it can be
inconvenient. The fact remains that everyone has the ability to respond
in a way that is appropriate once an issue is known. Not disclosing the
issue, even if the vendor has patched it, does not help. The entities
that intend on exploiting vulnerabilities are fully capable of reversing
a patch and discovering the vulnerability.

In days past a vulnerability may have gone completely unnoticed and
patched in due time as a bug; the vulnerability still existed. I would
argue that the number of vulnerabilities discovered has not really
increased but awareness certainly has. The composition of vulnerability
disclosures has also changed but the overall number when compared to
impact is not significantly different.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/