On Thu, Jun 30, 2005 at 10:36:57AM -0700, Erick Mechler wrote:
> :: Blackhats may get along with only a handful of exploits, if they're
> :: willing to try to find targets to match their collection, but a
> :: pentester should have the collection to match the target.
> ::
> :: This is doubly true if we're not talking about a dedicated pentester,
> :: but about a sysadmin with a networking/security background who likes to
> :: verify that the patches did, indeed, work.
>
> To that I say let the people producing the patches deliver the exploit code
> as a POC that the patches did, indeed, work. Releasing exploit code before
> the patch is released helps nobody except the blackhats.
>
> :: Also, exploits will be distributed, publicly or otherwise - doing it in
> :: the open means we know what happens when.
>
> You should, as an admin, assume that once a vulnerability is released, the
> exploit has been too, whether you see it attached to the vuln announcement
> or not.
>
> Cheers - Erick
Dear Erick,
Those are two very valid points.
I agree with you on the first, in general at least (if there's evidence
that the vulnerability is exploited in the wild, and the vendor has made
it clear through action or inaction that no patch is forthcoming, a
publicly posted exploit can serve as a much-needed cattle prod - but
that's a relatively uncommon situation). However, I wasn't talking about
this, and I assume the OP wasn't, either; this is not an argument not to
release exploit code at all.
The second is true; however, it's also true that when there's a
skiddie-friendly exploit out there, you can expect to see a lot more
attacks. Pretty soon. And as pointed out further in the same thread,
exploits function as a much-needed cattle prod for lazy admins too.
And yes, I've needed the prodding a few times, myself.
Joachim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
