[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <F6242D340921D5118D1E00508BB9837A07657D42@tlnmail1.toplayer.com>
From: kquest at toplayer.com (kquest@...layer.com)
Subject: no more public exploits and general PoC gui
de lines
Are you saying that unless there's an exploit
that gives you access to the target machine
your company wouldn't patch (even if there's
an exploit that crashes the target)?
I don't know what company that was, but I'm
glad I'm not working for them... Ignoring DoS
exploits is irresponsible... to say the least.
kcq
-----Original Message-----
From: Harlan Carvey [mailto:keydet89@...oo.com]
Sent: Tuesday, April 27, 2004 3:37 PM
To: full-disclosure@...ts.netsys.com
Cc: kquest@...layer.com; johncybpk@....net
Subject: RE: [Full-Disclosure] no more public exploits and general PoC
gui de lines
Well, then the hole you get stuck in with that
particular situation is systems going unpatched, b/c
there is no exploit for the vulnerability.
A company I used to work for was that way. Regardless
of what security strongly recommended, patches weren't
being installed in a timely manner...largely b/c there
were no reports of actual exploit code being released.
However, a customer insisted that the patches be
installed ASAP...the logic used by the sysadmins
didn't jive.
> Having proof of concept code is always valuable
> (and the sooner the better),
> but I question releasing exploits that execute code
> on the target machine. Having a DoS PoC is enough...
> The legitimate pentesters will be able to modify the
> PoC to execute code on the target while, at the same
> time, the "kiddies" will be stuck with something of
> little or no use to them. This way everybody is
> happy.
> Some of you might say that some "kiddies" will be
> able
> to modify the DoS PoC to execute code for their
> malicious
> needs. Well, if this is the case, then we are no
> longer
> dealing with "kiddies"... If they can do this then
> they
> are capable of creating their own exploits...
Powered by blists - more mailing lists