Bugtraq mailing list archives
Re: BUGTRAQ] vulnerability in Connection Manager Control binary in
From: Chris Calabrese <chris_calabrese () YAHOO COM>
Date: Tue, 21 Nov 2000 10:27:43 -0800
Go through your Oracle installation and remove the setuid bit on all those little helper applications that you don't use. Don't wait for someone to tell you that one of them is exploitable.
I couldn't agree more. Unfortunately, this ends up as a political issue rather than a technical one in many cases. Yes, this is a very bad thing. It's also all too common.
[Rant deleted]
I also agree that vendors need to make a more concerted effort to actually respond to security issues rather than just sweeping them under the rug. The good news is that they are getting better. And much of this is thanks to pressure from the security community. On the other hand, releasing exploit code before the vendor even has a chance to produce a patch and without including a definitive and well-tested work-around is making the problem worse not better. In my opinion, the responsible thing to do is to present the vendor with a time-line of when you'll disclose if they don't do it first. Here's a (made up) example. Dear vendor, I've discovered a huge security hole in product X. Details below. You should be aware that I am an advocate of full disclosure and intend to disclose the issue to Bugtraq if you do not respond within N1 days, do not disclose the issue yourself (giving credit to me, of course) within N2 days, or do not produce a patch within N3 days. Thank you... This way, you still get the credit you deserve for discovering the problem, the vendor knows that you intend to disclose and can react accordingly, and, if the vendor reacts reasonably, you don't make the problem worse by letting the cat out of the bag prematurely. Ok, that's enough on this issue. Let's get back to the real work of making the world a better place ;-) __________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
Current thread:
- Re: BUGTRAQ] vulnerability in Connection Manager Control binary in Chris Calabrese (Nov 22)