Whether to release the exploit or not is subject to a number of different practical and moral considerations.
Firstly security testers and testing tools need to have functional and working exploits to validate if their customerâs sites are secure; if exploits are not released they cannot do their job. Every time a security tester runs a scan the exploit is publically published, so selective disclosure does not work. Secondly the exploit contained within Adobeâs patches will be rapidly reverse engineered by governmental Infosec warfare teams, along with various commercially profitable underground organisations. Our intent by using publicity is too minimise the impact of this. ProCheckUp have had a number of discussions regarding waiting a longer time say one month to release the exploit, though this was determined to be unfeasible due to ease of determining the exploit and using it. It was felt that it is better to give ColdFusion administratorâs a tight deadline to secure their servers, rather than a relaxed one and having servers subjected to attack by the above. Personally I know that many prefer that exploits are not published and I understand this perspective; though my perspective is different coming from practical experience of performing forensics on customer sites after they have been âhackedâ using unpublished or zero day exploits. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336203 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm