[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3E3421B5.2080000@snosoft.com>
From: dotslash at snosoft.com (KF)
Subject: Sapphire worm POC that fulldisclosure policies
hurt everyone
>If the ms-sql bug had never been disclosed, and was slipped quietly to
>Microsoft, this never would have happened, and the same responsible
>administrators would have upgraded their software.
*cough* bulls$#t *cough*...
even if this bug was not disclosed to the public there is the same
posibility that a worm would be released by some random blackhat
community that found the bug and whored it amongst themselves for a while.
blackhats can find and write exploits for worms just as quickly as
whitehats can find them and disclose them to the public. The bottom line
is some developer made an error that caused a security hole. ANYONE
could find and exploit that hole and write a worm for it or admin 1000's
of boxes by hand with their uber ./ skills... the disclosure is not the
issue.
the damage would be no more or no less that what was already caused had
someone released a worm for a bug that microsoft silently fixed. For
that matter was code red not just a modification for a similar hole with
a similar worm that ms just silently patched a year prior?
-KF
Powered by blists - more mailing lists