oss-sec mailing list archives
Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser
From: Leif Nixon <nixon () lysator liu se>
Date: Fri, 24 Jul 2015 22:46:04 +0200
Martino Dell'Ambrogio <tillo () tillo ch> writes:
On 07/24/2015 11:47 AM, Leif Nixon wrote:[...] As I see it, there are two reasons for releasing working exploits without warning; 1) Forcing the hand of a non-responsive vendor, 2) Stroking a weak ego by showing off. (Or for marketing, but that comes to the same thing.) Except for case 1, releasing a working exploit *does not help anybody* except the kiddies. If there are other reasons, I'd like to be told about them. If Qualys had released a slightly less detailed advisory, or even just left off the actual exploit, and given users a day or two to patch their systems before going full disclosure, the risk to innocent bystanders would have been much reduced.Actually, releasing a working exploit helps our customers more often than not. In professional pentesting, proof of exploitation is essential. Most often than not, a real attacker will invest time and resources into a working exploit, the customer will not feel the need to invest into it just for simulation.
I may have been somewhat unclear; what I'm (very) upset about is the release of a working exploit without giving the user community a realistic chance to patch. -- Leif Nixon ------------------------------------------------------------------------------ "supercomputer specialists are charming, polite [and] witty" -- Wired Magazine ------------------------------------------------------------------------------
Current thread:
- Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Qualys Security Advisory (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Philip Pettersson (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Jamie Strandboge (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Kurt Seifried (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Martino Dell'Ambrogio (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Joshua Rogers (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Michal Zalewski (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Dave Horsfall (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Hanno Böck (Jul 26)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Philip Pettersson (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brandon Perry (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 27)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Ankeet Presswala (Jul 27)