[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040427193714.22129.qmail@web41610.mail.yahoo.com>
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: no more public exploits and general PoC gui de lines
Well, then the hole you get stuck in with that
particular situation is systems going unpatched, b/c
there is no exploit for the vulnerability.
A company I used to work for was that way. Regardless
of what security strongly recommended, patches weren't
being installed in a timely manner...largely b/c there
were no reports of actual exploit code being released.
However, a customer insisted that the patches be
installed ASAP...the logic used by the sysadmins
didn't jive.
> Having proof of concept code is always valuable
> (and the sooner the better),
> but I question releasing exploits that execute code
> on the target machine. Having a DoS PoC is enough...
> The legitimate pentesters will be able to modify the
> PoC to execute code on the target while, at the same
> time, the "kiddies" will be stuck with something of
> little or no use to them. This way everybody is
> happy.
> Some of you might say that some "kiddies" will be
> able
> to modify the DoS PoC to execute code for their
> malicious
> needs. Well, if this is the case, then we are no
> longer
> dealing with "kiddies"... If they can do this then
> they
> are capable of creating their own exploits...
Powered by blists - more mailing lists