| |||||||||||||
Speaking with codeSpeaking with codePosted Jul 25, 2009 1:07 UTC (Sat) by spender (subscriber, #23067)In reply to: Speaking with code by dlang Parent article: Quotes of the week
Then you missed my similar exploit in 2007 that introduced NULL ptr dereferences as an exploitable bug class. It was the entire reason mmap_min_addr was introduced in the first place.
-Brad
(Log in to post comments)
Speaking with code Posted Jul 25, 2009 1:36 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]
but if you pointed out a problem and they implemented a fix, doesn't that indicate that they care and are interested in fixing the problems?
the fact that that fix didn't solve all possible aspects of this problem is unfortunate, but not more than that (you didn't see the implications at that time or you would have made more of a fuss then)
by the way, I do think that there are times when it's necessary to develop exploits, I don't remember exactly which thing, but within the last few months there was some exploit (I think DNS) where there were reports of people looking at the flaw and saying 'they managed to make an exploit of _that_???'
and I do think that if a vendor does not respond in a reasonable time there is a need to shame them (the bad guys aren't going to remain ignorant of the exploit forever, especially if the good guys are talking about it)
however I strenuously disagree with the people who believe that full public disclosure with exploit code should be the first step
|
|||||||||||||