Re: Internet Explorer 0day exploit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Bigby Findrake wrote:
> On Wed, 18 Jul 2007, Chris Stromblad wrote:
>
> <deletia>
>

>> One more thing about "advisories". I think it would be better to release
>> them immediately and let people know what they are facing. With public
>> dissemination of a vulnerability perhaps someone will release a 3rd
>> party patch or another inventive way of protecting oneself. Holding it
>> "secret" really doesn't help anyone.

Exactly. Why is it that many people seem to agree that it's less likely that something bad will happen if information is not disclosed. I'd say it's an equal, if not bigger, chance that something good happens. It's all about proportions really. There is likely more "good" people out there than "bad". If x % of the good guys look at it, they will likely count for a higher number of people as compared to an equal % x of the bad. So, yes... I believe that immediate information disclosure about a bug is better. It shortens the exposure window and it certainly does put more pressure on the vendor to come up with a patch.

>
> I guess what we're really talking about here is the perceived potential
> negative impact of letting the bad guys know that a vulnerability exists
> in space X (that they might then attempt to exploit where without that
> knowledge, they wouldn't try to exploit it even if it could be argued
> that they would attempt to find it) vs. the perceived potential good of
> allowing the good guys to attempt to formulate their own defenses
> tangential to some sort of "official" response.
>
> It seems to me that without metrics (how many early release advisories
> turned into exploits that wouldn't have been created without said
> advisory?) that all discussion on this topic is either philosophical or
> academic (which is not to imply "without merit").

Yeah, let's stay away from speculation and assumptions for now.

>

>> Anyways, enough ranting.

Well thank you, perhaps I should do it more often.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

>
>
>
> -- Making files is easy under the UNIX operating system. Therefore,
> users
> tend to create numerous files using large amounts of file space. It
> has been said that the only standard thing about all UNIX systems is
> the message-of-the-day telling users to clean up their files.
> -- System V.2 administrator's guide
>
> finger://ephemeron.org/bigby
> http://www.ephemeron.org/~bigby/
> irc://irc.ephemeron.org/#the_pub
> news://news.ephemeron.org/alt.lemurs
>
>

/ Chris

• -- Chris Stromblad (CEH) Security Engineer Outpost24 UK

90 Long Acre
Covent Garden
London, WC2 E9RZ

• ------------------------- Tel: +44 (0) 207 849 3097 Dir: +44 (0) 208 099 6595 Fax: +44 (0) 207 849 3140
• ------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGnnVJ+CG0a/ZJxn8RAmTsAKDRcGi+6jyPpWQofxyaWaOjg2w33gCfSWTj MHqg5Up5AvwBIvcWc0Lbj70=
=K9KH
-----END PGP SIGNATURE----- Received on Fri Jul 20 14:12:56 2007