lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050701225833.GA7844@jschipper.dynalias.net> Date: Fri Jul 1 23:58:38 2005 From: j.schipper at math.uu.nl (Joachim Schipper) Subject: Publishing exploit code - what is it good for On Thu, Jun 30, 2005 at 10:36:57AM -0700, Erick Mechler wrote: > :: Blackhats may get along with only a handful of exploits, if they're > :: willing to try to find targets to match their collection, but a > :: pentester should have the collection to match the target. > :: > :: This is doubly true if we're not talking about a dedicated pentester, > :: but about a sysadmin with a networking/security background who likes to > :: verify that the patches did, indeed, work. > > To that I say let the people producing the patches deliver the exploit code > as a POC that the patches did, indeed, work. Releasing exploit code before > the patch is released helps nobody except the blackhats. > > :: Also, exploits will be distributed, publicly or otherwise - doing it in > :: the open means we know what happens when. > > You should, as an admin, assume that once a vulnerability is released, the > exploit has been too, whether you see it attached to the vuln announcement > or not. > > Cheers - Erick Dear Erick, Those are two very valid points. I agree with you on the first, in general at least (if there's evidence that the vulnerability is exploited in the wild, and the vendor has made it clear through action or inaction that no patch is forthcoming, a publicly posted exploit can serve as a much-needed cattle prod - but that's a relatively uncommon situation). However, I wasn't talking about this, and I assume the OP wasn't, either; this is not an argument not to release exploit code at all. The second is true; however, it's also true that when there's a skiddie-friendly exploit out there, you can expect to see a lot more attacks. Pretty soon. And as pointed out further in the same thread, exploits function as a much-needed cattle prod for lazy admins too. And yes, I've needed the prodding a few times, myself. Joachim
Powered by blists - more mailing lists