On Tue, 15 Sep 2009 20:51:40 +0200
Mel Flynn <mel.flynn+fbsd.questi...@mailing.thruhere.net> wrote:
Please inform yourself properly before assuming you're right. Mozilla
does not by default publish vulnerabilities before a fix is known. In
some cases publishing has been delayed by months. The exception is
when exploits are already in the wild and a work around is available,
while a real fix will take more work.
This is also why vulnerabilities are typically not disclosed till a
fix is known, because it does not protect the typical user, but puts
him in harms way, which is exactly what you don't want.
In theory, if I know the details of this particular exploit, I can
patch my 6.4 machines myself, but more realistically, if developers
take all this time to come up with a solution that doesn't break
functionality the chances that I and more casual users can do this
are slim. Meanwhile, the exploit will be coded into the usual
rootkits and internet scanners and casualties will be made. That
doesn't help anyone.
Assume that I have discovered a vulnerability in a widely used, or even
marginal for arguments sake, program. I now start to exploit that
vulnerability. Now assume that you are responsible for maintaining,
that program. Use any job description that suits you for this purpose.
Are you claiming that since it may take several months to fix, it is
better to let users be exploited rather than inform them that there is
an exploitable problem in said software? I fine that extremely
As you can no doubt tell, I am not a believer in the "Ignorance is
I believe the point that others are trying to make is this. Your example
requires that the exploit is known to the blackhats and in use
currently. Their example assumes that exploit is only known to those who
This particular exploit is not believed to be known to the black hats,
and not known to be in use currently.
Is it better for an exploit to remain a secret and not is use,
protecting those that may not get their systems patched in time (as the
blackhats *will* most certainly put the exploit to use as soon as they
are told about it). Or, let the exploit remain a secret until it is
either fixed and a patch made available or discovered in use by blackhats.
I think you are both right. If the exploit is not being used, keep it a
secret and let the developers design a permanent fix. If the exploit is
discovered publicly before the fix is out, warn everyone loudly and
provide a workaround.
I believe all software I am aware of handles exploits with that method.
"Posterity, you will know how much it cost the present generation to
preserve your freedom. I hope you will make good use of it. If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Quincy Adams
email@example.com mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"