oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

From: Martino Dell'Ambrogio <tillo () tillo ch>
Date: Fri, 24 Jul 2015 14:15:46 +0200
On 07/24/2015 11:47 AM, Leif Nixon wrote:

[...]

As I see it, there are two reasons for releasing working exploits
without warning;

1) Forcing the hand of a non-responsive vendor,

2) Stroking a weak ego by showing off. (Or for marketing, but that comes
   to the same thing.)

Except for case 1, releasing a working exploit *does not help anybody*
except the kiddies. If there are other reasons, I'd like to be told
about them.

If Qualys had released a slightly less detailed advisory, or even just
left off the actual exploit, and given users a day or two to patch their
systems before going full disclosure, the risk to innocent bystanders
would have been much reduced.



Actually, releasing a working exploit helps our customers more often
than not.
In professional pentesting, proof of exploitation is essential.
Most often than not, a real attacker will invest time and resources into
a working exploit, the customer will not feel the need to invest into it
just for simulation.

Moreover, as soon as systems can be patched, they should be.
Of course a few hours delay is not realistic, but I want to be sure that
everyone understands how much "releasing a working exploit *does not
help anybody*" is false.

I urge researchers to continue to release their exploits into the public
domain.
Do it "responsibly", maybe get help in order to do it correctly, but do
it, because it's beneficial more than harmful to any potential target.

-- 
Martino Dell'Ambrogio
Security Auditor
Web: http://www.tillo.ch/
Email: tillo () tillo ch

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: