Seems to me that having the source would make finding an exploit
considerably easier.
As you say, it's not impossible without the source - at least many, if not
most, exploits are found without source code.
As an ex computer professional I personally have found exploits without
source code. In all those cases I wished I'd had the source.
So I think your respondent is wrong. I won't sully the airwaves with my
other thoughts about his/her comments..
My original point was related to the fact that I have wasted a lot of time
(probably man-months) looking at source code to find problems in (other
people's) executables when it turned out that the source I was looking at
had been changed *after* the executable was released. As a result I simply
refuse to trust source code that has a "time last modified" (TLM) after the
TLM of the executable. Promises that "this really is the source" carry very
little weight on my scales.
Harold Fuchs
----- Original Message -----
From: "Mike Miller" <[EMAIL PROTECTED]>
To: "Harold Fuchs" <[EMAIL PROTECTED]>
Cc: "James Weatherall" <[EMAIL PROTECTED]>; <vnc-list@realvnc.com>
Sent: Wednesday, May 17, 2006 12:32 AM
Subject: Re: Version 4.1.2
On Wed, 17 May 2006, Harold Fuchs wrote:
Mike Miller wrote:
<snip>
Another good reason to release binaries first -- think about this -- a
bad guy could download both the new source and the old source, do diffs
and figure out how to exploit the vulnerability. If the binaries are
out there first, it gives us a chance to prepare for the coming barrage
of attacks.
This is an excellent point.
Thank you.
FYI - I've been told off list that my point is not excellent, and it is in
fact glaringly and shamefully wrong. The guy who wrote to me said my
remark was "one of the most false statements i have heard." It was, he
claimed, the sort of thing that a 14-year-old would write in an attempt to
show off. The person who told me these things also told me that he is a
computer professional who was able, with a friend, to develop an exploit
for this vulnerability in only 12 hours of work. He completed it 8 hours
before the source code was available. Therefore, he believes, I am wrong
to suggest that the source code could help someone to develop software for
remote exploit. I don't agree. I did not claim that it would be
impossible to develop the exploit without the diffs. Of course it was
possible to develop an exploit without the diffs and that was why the code
had to be revised. I think the revised code could help, but it is
possible that I am mistaken.
Anyway, I thought I'd point out that not everyone agrees with me.
Mike
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list