Re: [Full-Disclosure] no more public exploits

From: Exibar (exibar_at_thelair.com)
Date: 04/27/04

  • Next message: Steven Alexander: "RE: [Full-Disclosure] programming"
    To: "Baum, Stefan" <stefan.baum@eds.com>, <full-disclosure@lists.netsys.com>
    Date: Tue, 27 Apr 2004 15:27:09 -0400
    
    

    I agree, but the timing of the patch for an exploited vulnerability or a
    non-exploited vulnerability can make a difference. If there's an exploit
    out in the wild for a vulnerability, you might want to drop everything and
    patch everything you have. But, if there isn't an exploit, you might be
    able to get away with adding that patch to your weekly or whatever patching
    schedule.

      Exibar
    (I AM NOT AN ANIMAL!) hehehe
    ----- Original Message -----
    From: "Baum, Stefan" <stefan.baum@eds.com>
    To: <full-disclosure@lists.netsys.com>
    Sent: Tuesday, April 27, 2004 2:06 PM
    Subject: AW: [Full-Disclosure] no more public exploits

    IMHO, no sysadmin taking his work seriously, will wait patching the systems
    until an exploit is available throughout the internet.

    Stefan
    (I AM A SYSADMIN)

    > -----Ursprüngliche Nachricht-----
    > Von: full-disclosure-admin@lists.netsys.com
    > [mailto:full-disclosure-admin@lists.netsys.com] Im Auftrag von Yabby
    > Gesendet: Dienstag, 27. April 2004 19:06
    > An: johnny cyberpunk; full-disclosure@lists.netsys.com
    > Betreff: Re: [Full-Disclosure] no more public exploits
    >
    > Even though I think that the publication of your code might
    > have been a couple of weeks too soon: too bad you chose to
    > abandon full disclosure. A lot of people do not have the
    > skills to transform theoretical vulnerabilities into
    > practical exploits. With the lack of proof that the
    > vulnerability can really be exploited, a lot of sysadmins
    > will decide not to patch, leaving the holes in tact for the
    > real blackhats, that have possession of the malicious code anyway....
    >
    > maarten
    >
    > > this is an anouncement that i personally have no more intention to
    > > publish any
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Steven Alexander: "RE: [Full-Disclosure] programming"

    Relevant Pages

    • Re: Download.ject - commentary - LONG
      ... > patch recently released by Microsoft. ... > vulnerability in question, but instead is just a partial workaround. ... > Granted these are known security best practices related to Internet ... > a new default browser to users and hope that it will be safe enough. ...
      (microsoft.public.win2000.security)
    • Vulnerability Details for MS02-012
      ... Microsoft released a patch for a denial of service ... vulnerability in the Windows 2000 SMTP component. ... This bug affects all Windows 2000 systems running the SMTP service that have ...
      (Bugtraq)
    • Microsoft Security Bulletin MS01-044
      ... Subject: Microsoft Security Bulletin MS01-044 ... 15 August 2001 Cumulative Patch for IIS ... - A denial of service vulnerability that could enable an attacker ...
      (Bugtraq)
    • [NT] 15 August 2001 Cumulative Patch for IIS
      ... Microsoft has released an important patch for IIS administrators. ... * A denial of service vulnerability that could enable an attacker to ...
      (Securiteam)
    • McAfee ePolicy Orchestrator Format String Vulnerability (a031703-1)
      ... ePolicy Orchestrator Format String Vulnerability ... on the host they wish to compromise. ... The vendor has made a patch available. ...
      (Bugtraq)