oss-sec mailing list archives
Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser
From: Martino Dell'Ambrogio <tillo () tillo ch>
Date: Fri, 24 Jul 2015 14:15:46 +0200
On 07/24/2015 11:47 AM, Leif Nixon wrote:
[...] As I see it, there are two reasons for releasing working exploits without warning; 1) Forcing the hand of a non-responsive vendor, 2) Stroking a weak ego by showing off. (Or for marketing, but that comes to the same thing.) Except for case 1, releasing a working exploit *does not help anybody* except the kiddies. If there are other reasons, I'd like to be told about them. If Qualys had released a slightly less detailed advisory, or even just left off the actual exploit, and given users a day or two to patch their systems before going full disclosure, the risk to innocent bystanders would have been much reduced.
Actually, releasing a working exploit helps our customers more often than not. In professional pentesting, proof of exploitation is essential. Most often than not, a real attacker will invest time and resources into a working exploit, the customer will not feel the need to invest into it just for simulation. Moreover, as soon as systems can be patched, they should be. Of course a few hours delay is not realistic, but I want to be sure that everyone understands how much "releasing a working exploit *does not help anybody*" is false. I urge researchers to continue to release their exploits into the public domain. Do it "responsibly", maybe get help in order to do it correctly, but do it, because it's beneficial more than harmful to any potential target. -- Martino Dell'Ambrogio Security Auditor Web: http://www.tillo.ch/ Email: tillo () tillo ch
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Qualys Security Advisory (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Philip Pettersson (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Jamie Strandboge (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Kurt Seifried (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Martino Dell'Ambrogio (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Joshua Rogers (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Michal Zalewski (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Dave Horsfall (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Hanno Böck (Jul 26)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Philip Pettersson (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brandon Perry (Jul 24)