Re: Public announcements of SQL Security Vulnerabilities
From: Chris Wood (chris.wood@gov.ab.ca)
Date: 08/01/02
- Next message: Hal: "Re: Public announcements of SQL Security Vulnerabilities"
- Previous message: Chris Wood: "Re: CERT Advisory CA-2002-22"
- In reply to: Ernest DeVore: "Re: Public announcements of SQL Security Vulnerabilities"
- Next in thread: Mary Chipman: "Re: Public announcements of SQL Security Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Chris Wood" <chris.wood@gov.ab.ca> Date: Thu, 1 Aug 2002 10:29:14 -0600
Just my luck. The latest patch comes out and I cannot find the exploit
details, or the KB Q articles at Microsoft, on my favourite security sites.
I know that the author of this one is at BlackHat so maybe too busy to post.
Chris
"Ernest DeVore" <devore_ernest@hotmail.com> wrote in message
news:#MZo$ZKOCHA.1636@tkmsftngp13...
>
> "Chris Wood" <chris.wood@gov.ab.ca> wrote in message
> news:euC8XBxNCHA.2680@tkmsftngp09...
> > BP,
> >
> > What I am questioning is that the exploit script appear so early after
the
> > fix is issued. Is a few hours an ethical amount of time. Remember that
the
> > internet is always on and a fix and exploit code could be published
after
> we
> > finish work and before we start again the following day or even over a
> > weekend.
> >
> > The current set of comments all seem to think that we should thank our
> lucky
> > stars that the exploit code does not appear before the bug is fixed.
>
> It's the old saw. Ignorance is bliss but it doesn't make the problem go
> away.
>
> If you go into the hacker forums and websites you'll find that they all
love
> to talk about what they've done and impress each other with their
> brilliance. That's human nature. They all share their information and
those
> exploits are known in the hacker communities for quite awhile before some
of
> the
> good guys who watch those communities pick up the information and bring it
> to the public eye.
>
> By the time you see an exploit I can guarantee you that the top 10%
hackers,
> which are the truly motivated and Type-A personalities, already know about
> it. By publishing
> the exploit and example source codes you're letting in the rest of the
slow
> dogs but you're also alerting us hard-working DBAs who don't have time to
> browse all the hacker
> communities out there. There are five other DBAs at any given time wanting
> my job. I don't want my competence to be called into question by something
> as silly as a buffer
> overrun exploit I'd never heard about but that some hacker used to bring
my
> systems down.
>
> I thank the SQL gods every day for those websites that go forth into
Indian
> Territory to bring us the bad news.
>
> /E
>
>
- Next message: Hal: "Re: Public announcements of SQL Security Vulnerabilities"
- Previous message: Chris Wood: "Re: CERT Advisory CA-2002-22"
- In reply to: Ernest DeVore: "Re: Public announcements of SQL Security Vulnerabilities"
- Next in thread: Mary Chipman: "Re: Public announcements of SQL Security Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
