Yes, I realize Milw0rm is simply posting exploits sent to them. I didn't mean to make it sound like I was putting down Milw0rm, I am just concerned about the number of 0day's coming out. But, this did make me think. Maybe a site like this should take exploit submissions via a web based form where the submitter has to sign an agreement stating something to the affect of:
If you are submitting an exploit for a vulnerability you discovered and did not responsibly disclose to the vendor you are a meanie. If you did and they chose not to address it you are a cool person. I agree we need to see these things if they are going to be floating around. I just wish people would be be more responsible when they discover a vulnerability and develop an exploit for it. Try to let the vendor know first. On 6/23/06 10:47 PM, "Gadi Evron" <[EMAIL PROTECTED]> wrote: > On Fri, 23 Jun 2006, David Taylor wrote: >> Not sure if I agree with the "Most sites don't fix them" comment but I agree >> there are probably a lot of people that just don't get how serious the >> report is about a vulnerability in their software. >> >> What I am worried about for the moment is milw0rm. That site releases an >> average of 6 or 7 zero day exploits a day. It has increased the workload I >> have letting our IT folks know about new threats. A lot of these >> vulnerabilities are web/php based but pwn3d is pwn3d. I would imagine it >> feeds a lot of the zone-h.org defacement entries. I don't see as many full >> disclosure zero-day postings as I do on milw0rm. >> >> Sorry if this doesn't fit the entire subject matter of this post but just >> had to throw it out there. It is getting hard to keep up with. > > What you say makes sense, but isn't that shooting the messenger? > > You are right about how dire the situation is. We have all been thinking > hard on how to change it. I will wait for Steve Christey's reply as he > knows how to explain these issues far better than me. > > Still, milw0rm seem like good people to me. They bring you the > information. Without them (and places like the site I am biased about, > securiteam.com, ex-FRSIRT, etc.) only the Bad Guys would know about these. > > Unrelated, we should start distinguishing again between full disclosure > vulnerabilities and 0days (which can only be used while you don't know > about them / you caught itw, but definitions vary - just too many > "0days"). > > Gadi. > >> On 6/23/06 9:30 PM, "Gadi Evron" <[EMAIL PROTECTED]> wrote: >> >>> In this post I link to a blog entry by a guy (dcrab) who does some show >>> and tell about Amazon and MSN. You gotta love Full Disclosure. Full >>> Disclosure and why bugtraq is here is what I talk about. Just skip my text >>> to the end for that information. >>> >>> So, yes, we know. Thanks. Yes, we know. Most sites have >>> vulnerabilities. Most sites don't fix them. All you have to do is pick one >>> arbitrarily and find them after a second to a few minutes of search. >>> >>> Recently I exchanged some words on exactly this subject with Scott Chasin >>> (started bugtraq back in `93). This is why Full Disclosure was originally >>> done and part of why bugtraq was originally created. People don't often >>> remember why, and today attack the concept of Full Disclosure and say that >>> it is irresponsible to disclose vulnerabilities that way. >>> >>> On some levels, I agree, but nothing is black and white even if I often >>> think it is. >>> >>> Some companies take security seriously. Reporting to them works. Some >>> companies (at BEST) ignore you. Back then most companies ignored. Back >>> then Full Disclosure was THE silver bullet and THE solution. I recently >>> had the chance to discuss this with Aleph1 as well. He who strongly >>> believes in Full Disclosure agrees it's a different world now. >>> >>> Today, the same situation is repeated with new fields. Game companies, >>> critical infrastructure (such as with SCADA systems), etc. who now >>> discover the world of vulnerability research don't know how to deal with >>> it. It is interesting to watch how the world of security repeats its >>> history. >>> >>> When someone releases the information it is a fact that everyone goes and >>> attacks the site or builds a POC. When someone provides only with the name >>> of the site or skeleton details of vulnerabilities... everyone goes and >>> looks for what they know is there. >>> >>> Back a few months ago a kiddie tried to sell an Excel vulnerability on >>> FD. Now, I am not sure if this is completely related but a few months >>> after that Microsoft released several patches for Excel. This month we >>> have had Excel 0days. >>> >>> In the world of web security the situation is more extreme. Release the >>> bug? Everyone will exploit it. Release the site name? Everyone will find a >>> bug there TODAY. >>> >>> The point is, though, that these vulnerabilities have always been there, >>> and they have been exploited before. We just didn't know about them. And >>> people are surprised when corporations and sites are broken into and their >>> personal data is stolen? >>> >>> Here is a blog post of a guy who got sick of reporting vulnerabilities, >>> and after years of trying (look at the dates), finally made a small >>> release about MSN and Amazon (although other interesting sites are listed >>> there. >>> >>> http://blogs.hackerscenter.com/dcrab/?p=19 >>> >>> Noam Rathaus recently wrote about a similar issue ("From Flaw to >>> Exploit"): >>> http://blogs.securiteam.com/index.php/archives/449 >>> >>> I contacted both Amazon and MS, but this is out there and once it's out >>> there - it's, well; out there. Full disclosure, y'know. >>> >>> Gadi Evron. >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> ================================================== >> David Taylor //Sr. Information Security Specialist >> University of Pennsylvania Information Security >> Philadelphia PA USA >> (215) 898-1236 >> http://www.upenn.edu/computing/security/ >> ================================================== >> >> Penn Information Security RSS feed >> http://www.upenn.edu/computing/security/rss/rssfeed.xml >> Add link to your favorite RSS reader >> >> >> ================================================== David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ ================================================== Penn Information Security RSS feed http://www.upenn.edu/computing/security/rss/rssfeed.xml Add link to your favorite RSS reader _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
