>> It is my personal belief that all vulnerabilities should be patched >> regardless of existence of a known attack vector or exploit. > > Let me fix that for you: > > All vulnerabilities should be evaluated as to whether patching them > makes sense. If it's a one-liner fix for a stupid logic error, yes > it probably should be patched whether or not there's a known exploit. > ... > > So yes, evaluation is needed. But patching it may not make any realistic > sense, depending on the nature of the issue and who is potentially affected. >
I agree Valdis, and I personally used shatter when it was popularized.. resulting in tons of fun here at the university with my colleagues. However, I'm simply stating a belief in a more abstract sense, I agree beliefs are not always realistic, but personally I /do/ make that guarantee whenever I write a piece of code. I am very aware I must compromise this belief when working in the market, like most of my other beliefs and morals, and I do so daily. Then I go home and cry myself to sleep. Charles _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/