Full Disclosure mailing list archives

Re: Re: Full Disclosure != Exploit Release

From: KF <dotslash () snosoft com>
Date: Wed, 29 Jan 2003 10:00:17 -0500

Paul Schmehl wrote:

On Wed, 2003-01-29 at 06:13, David Howe wrote:

That is of course your choice. Vendors in particular were prone to deny
a vunerability existed unless exploit code were published to prove it.



I've read this mantra over and over again in these discussions, and a
question occurs to me.  Can anyone provide a *documented* case where a
vendor refused to produce a patch **having been properly notified of a
vulnerability** until exploit code was released?

Heck yeah! See our issues with Compaq / HP earlier this summer... I wasbasically told sure you can cause a segfault but our non-executablestack is the holy grail and YOU can not touch it. Basically laughing inmy face for even implying that I could take root on a TRU64 box via abuffer overflow. Without an exploit they claimed it was NOT possible. Ihave heard of similar horror stories with HP... anyone else care to share?

You all know the outcome of that... a exploit was leaked they flippedout tryed to sue us and mircaulously you see patches in a few days.


-KF



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release, (continued)
- - - RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release hellNbak (Jan 29)
    - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Blue Boar (Jan 29)
    - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Rick Updegrove (security) (Jan 29)
    - RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Geo (Jan 29)
    - RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release David Howe (Jan 29)
  - Re: Full Disclosure != Exploit Release Paul Schmehl (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release hellNbak (Jan 29)
    - RE: Re: Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release KF (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release Blue Boar (Jan 29)
  - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release ATD (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
  - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Florian Weimer (Jan 29)
  - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release backed . up . by . 2048 . bit . encryption (Jan 29)
  - RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
    - RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Ron DuFresne (Jan 29)
    - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Kevin Spett (Jan 29)

(Thread continues...)