On Tue, 15 Sep 2009 15:28:59 -0400 DAve <[email protected]> wrote:
> Jerry wrote: > > On Tue, 15 Sep 2009 20:51:40 +0200 > > Mel Flynn <[email protected]> wrote: > > > >> Please inform yourself properly before assuming you're right. > >> Mozilla does not by default publish vulnerabilities before a fix > >> is known. In some cases publishing has been delayed by months. The > >> exception is when exploits are already in the wild and a work > >> around is available, while a real fix will take more work. > >> > >> This is also why vulnerabilities are typically not disclosed till a > >> fix is known, because it does not protect the typical user, but > >> puts him in harms way, which is exactly what you don't want. > >> > >> In theory, if I know the details of this particular exploit, I can > >> patch my 6.4 machines myself, but more realistically, if developers > >> take all this time to come up with a solution that doesn't break > >> functionality the chances that I and more casual users can do this > >> are slim. Meanwhile, the exploit will be coded into the usual > >> rootkits and internet scanners and casualties will be made. That > >> doesn't help anyone. > > > > Assume that I have discovered a vulnerability in a widely used, or > > even marginal for arguments sake, program. I now start to exploit > > that vulnerability. Now assume that you are responsible for > > maintaining, that program. Use any job description that suits you > > for this purpose. Are you claiming that since it may take several > > months to fix, it is better to let users be exploited rather than > > inform them that there is an exploitable problem in said software? > > I fine that extremely disturbing. > > > > As you can no doubt tell, I am not a believer in the "Ignorance is > > bliss" theory. > > > > I believe the point that others are trying to make is this. Your > example requires that the exploit is known to the blackhats and in > use currently. Their example assumes that exploit is only known to > those who discovered it. > > This particular exploit is not believed to be known to the black > hats, and not known to be in use currently. > > Is it better for an exploit to remain a secret and not is use, > protecting those that may not get their systems patched in time (as > the blackhats *will* most certainly put the exploit to use as soon as > they are told about it). Or, let the exploit remain a secret until it > is either fixed and a patch made available or discovered in use by > blackhats. > > I think you are both right. If the exploit is not being used, keep it > a secret and let the developers design a permanent fix. If the > exploit is discovered publicly before the fix is out, warn everyone > loudly and provide a workaround. > > I believe all software I am aware of handles exploits with that > method. I am not aware of any infallible method of determining if an exploit is in use. By the time the exploit become common knowledge it is usually too late. Lacking same, I believe in the "For Warned is For Armed" policy. Waiting until someone is harmed is tantamount to being an accomplice to the act. -- Jerry [email protected] Never buy from a rich salesman. Goldenstern _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
