Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerabilities in some SCADA server softwares

From: Willy Tarreau <w () 1wt eu>
Date: Thu, 24 Mar 2011 12:13:32 +0100
On Wed, Mar 23, 2011 at 02:36:38PM -0400, J. Oquendo wrote:

On 3/23/2011 2:13 PM, Theo de Raadt wrote:

If *any* threat exists,
that threat is increased by public exposure of unmitigated attack
methodology

I think you have it wrong.

Public exposure increases the visibility, and therefore customers
install the patches quicker.

Without public visibility, they will keep running the old code.


You're flawed in your response: "Public exposure increases the
visibility, and therefore customersinstall the patches quicker." ...
When someone "full discloses" a vulnerability, there is no patch to
install quicker.


That does not change the fact that the bug might already have been
exploited for a long time. Without the disclosure, the vendor has
the possibility to guess that it's not the case and take a long time
to fix it. After the disclosure, this possibility vanishes and he has
to work for a fix.

Also, if vulnerabilities were waiting for disclosure to be exploited
in such environments, Stuxnet would not have existed *before* Luigi's
post, only after. Recent facts have proven you wrong here.

Granted now there's emergency and we'll possibly get poor quality
patches or workarounds in the first time. At least if some of these
vulns are currently actively being exploited, we can expect those
exploits to quickly stop from now on.

Willy
Previous By Date Next
Previous By Thread Next

Current thread: