lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat Jun 24 17:40:19 2006
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: Amazon, MSN vulns and.. Yes,
	we know! Mostsites have vulnerabilities

>> >> What I am worried about for the moment is milw0rm. That site releases 
>> >> an
>> >> average of 6 or 7 zero day exploits a day.  It has increased the 
>> >> workload I
>> >> have letting our IT folks know about new threats. A lot of these
>> >> vulnerabilities are web/php based but pwn3d is pwn3d.

if you had a clue you would realize that the majority ( my guess is 98% ) of 
the
exploits on Millw0rm are not "0day", but are in fact released after vendor 
patches
are available. ( mabey str0ke could help with his guess on the percentage )

for those that are released without vendor patches,
they are generally due to the fact the the vendor is:
 1. not contactable
 2. non responsive to the researcher
 3. ignorant

 in cases 2 and 3 ( common ) the researcher releases them to HELP bring the
awareness to the vendor and users that "foobar" software is buggy and need 
be
either fixed by the vendor or removed by users and replaced by a better 
solution.

 I suppose you would rather these float around only in the underground and
then you would have NO clue as to how you got "pwn3d", possibly you should
have gotten into the offensive security side of things so you dont have to 
worry
instead of going for the classic defensive security position you obviously 
dread.

clue up!

MW

Powered by blists - more mailing lists