Re: Internet Explorer 0day exploit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 18 Jul 2007, Chris Stromblad wrote:

<deletia>

> One more thing about "advisories". I think it would be better to release
> them immediately and let people know what they are facing. With public
> dissemination of a vulnerability perhaps someone will release a 3rd
> party patch or another inventive way of protecting oneself. Holding it
> "secret" really doesn't help anyone.

With regards to your last statement, I would like to believe that that's so, or at least that if there is some harm in "early release" of information that that harm is mitigated (if not outright outweighed) by the potential good that's done by alerting the community and thereby allowing them to develop their own responses.

I guess what we're really talking about here is the perceived potential negative impact of letting the bad guys know that a vulnerability exists in space X (that they might then attempt to exploit where without that knowledge, they wouldn't try to exploit it even if it could be argued that they would attempt to find it) vs. the perceived potential good of allowing the good guys to attempt to formulate their own defenses tangential to some sort of "official" response.

It seems to me that without metrics (how many early release advisories turned into exploits that wouldn't have been created without said advisory?) that all discussion on this topic is either philosophical or academic (which is not to imply "without merit").

> Anyways, enough ranting.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I, for one, enjoyed your rant.

• -- Making files is easy under the UNIX operating system. Therefore, users tend to create numerous files using large amounts of file space. It has been said that the only standard thing about all UNIX systems is the message-of-the-day telling users to clean up their files.
  • System V.2 administrator's guide

finger://ephemeron.org/bigby

http://www.ephemeron.org/~bigby/
irc://irc.ephemeron.org/#the_pub
news://news.ephemeron.org/alt.lemurs

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use Charset: noconv

iQA/AwUBRp5dzuG50ohcWywfEQIaGwCdFvAHqttbczpDKBmJXkJZrDf1/BgAnRzh tNxtwD2MTu+qYgDY0EpRCuC0
=xb3M
-----END PGP SIGNATURE----- Received on Wed Jul 18 15:17:52 2007