[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
- From: Harlan Carvey <keydet89@xxxxxxxxx>
- Date: Tue, 27 Apr 2004 12:37:14 -0700 (PDT)
Well, then the hole you get stuck in with that
particular situation is systems going unpatched, b/c
there is no exploit for the vulnerability.
A company I used to work for was that way. Regardless
of what security strongly recommended, patches weren't
being installed in a timely manner...largely b/c there
were no reports of actual exploit code being released.
However, a customer insisted that the patches be
installed ASAP...the logic used by the sysadmins
didn't jive.
> Having proof of concept code is always valuable
> (and the sooner the better),
> but I question releasing exploits that execute code
> on the target machine. Having a DoS PoC is enough...
> The legitimate pentesters will be able to modify the
> PoC to execute code on the target while, at the same
> time, the "kiddies" will be stuck with something of
> little or no use to them. This way everybody is
> happy.
> Some of you might say that some "kiddies" will be
> able
> to modify the DoS PoC to execute code for their
> malicious
> needs. Well, if this is the case, then we are no
> longer
> dealing with "kiddies"... If they can do this then
> they
> are capable of creating their own exploits...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html