:: Blackhats may get along with only a handful of exploits, if they're :: willing to try to find targets to match their collection, but a :: pentester should have the collection to match the target. :: :: This is doubly true if we're not talking about a dedicated pentester, :: but about a sysadmin with a networking/security background who likes to :: verify that the patches did, indeed, work.
To that I say let the people producing the patches deliver the exploit code as a POC that the patches did, indeed, work. Releasing exploit code before the patch is released helps nobody except the blackhats. :: Also, exploits will be distributed, publicly or otherwise - doing it in :: the open means we know what happens when. You should, as an admin, assume that once a vulnerability is released, the exploit has been too, whether you see it attached to the vuln announcement or not. Cheers - Erick _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
