oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

From: Leif Nixon <nixon () lysator liu se>
Date: Fri, 24 Jul 2015 22:46:04 +0200
Martino Dell'Ambrogio <tillo () tillo ch> writes:


On 07/24/2015 11:47 AM, Leif Nixon wrote:

[...]

As I see it, there are two reasons for releasing working exploits
without warning;

1) Forcing the hand of a non-responsive vendor,

2) Stroking a weak ego by showing off. (Or for marketing, but that comes
   to the same thing.)

Except for case 1, releasing a working exploit *does not help anybody*
except the kiddies. If there are other reasons, I'd like to be told
about them.

If Qualys had released a slightly less detailed advisory, or even just
left off the actual exploit, and given users a day or two to patch their
systems before going full disclosure, the risk to innocent bystanders
would have been much reduced.



Actually, releasing a working exploit helps our customers more often
than not.
In professional pentesting, proof of exploitation is essential.
Most often than not, a real attacker will invest time and resources into
a working exploit, the customer will not feel the need to invest into it
just for simulation.


I may have been somewhat unclear; what I'm (very) upset about is the
release of a working exploit without giving the user community a
realistic chance to patch.

-- 
Leif Nixon
------------------------------------------------------------------------------
"supercomputer specialists are charming, polite [and] witty" -- Wired Magazine
------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: