oss-sec mailing list archives

Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sat, 25 Jul 2015 14:18:05 -0700

Frankly, over the years I have seen pretty few people on the side of the
angels complain that "But *why* didn't you include a weaponized exploit
with your advisory? I feel so cheated!".


AFAICT, virtually all the open-source and closed-source security
testing tools are dependent on the availability of this information;
this certainly includes Nessus, most web security scanners, most AV
software, etc.

In these situations, where an exploit for a new local root vulnerability
turned up without prior warning, we typically started seeing root-level
incidents within 24 hours. Have you ever tried to get big organizations,
made up of a zillion independent entities, to apply security patches
within a timescale of hours?


Would you choose not to do this in situations where no public exploit
is available, and therefore you would be unlikely to see the
immediately evident nuisance attacks described in your message?

Starting with the premise that the disclosure of security bugs makes
computer systems more vulnerable to attacks, would it be preferable to
completely discourage sharing vulnerability information with the
general public? If not, why?

/mz

Current thread:

Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser, (continued)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 23)
  - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Philip Pettersson (Jul 23)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Jamie Strandboge (Jul 23)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Kurt Seifried (Jul 23)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Martino Dell'Ambrogio (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Joshua Rogers (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 25)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Michal Zalewski (Jul 25)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Dave Horsfall (Jul 25)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 25)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Hanno Böck (Jul 26)
  - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brandon Perry (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 27)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Ankeet Presswala (Jul 27)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser z80 (Jul 29)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Solar Designer (Jul 29)
  - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Stephan Wiesand (Jul 24)

(Thread continues...)