Len, IMHO there's a difference between "security through obscurity" and posting working exploit code. Knowing that there is a vulnerability in DCOM, accessible over a range of RPC mechanisms (primarily 135/tcp) is all that most administrators need to know. It's one thing knowing that you can kill a person with a gun, and it's another to give away firearms.
Scanners are good; I agree they give out more information than an advisory, but it's still a step away from giving the kiddies a tool. Those in the know will always be able to write an exploit from minimal details; whether or not the pre-pubescent h4xx0rs get hold of it is another matter though. Different people will have differing opinions on how much information and what kind of disclosure policy is acceptable; for me, working exploit code so soon after the advisory is just irresponsible. As for the <2 week "grace period", it's not enough. What if the patch is broken in some way? It was rushed out the door by Microsoft; how many admins wait a month before applying a patch, just to see if anyone else has problems with it? I've just finished an audit on a multinational manufacturing company; the exploit code came out before they'd patched. How many other companies are in the same boat? I agree, exploit code may force people to patch, but that's not sufficient justification in my book. Chris On Sat, 26 Jul 2003, Len Rose wrote: > Disclaimer: I'm not supposed to have an opinion about anything > other than how the list functions but I'm weak and unable to > resist this one. > > Hi Chris, > > I don't feel that your position is valid. Once the vulnerability was > announced then it was inevitable. I'm surprised that you feel that > security by obscurity is a valid stance. Even those who have released > "harmless" scanners have in fact aided those who would be writing such > malware anyway since all they have to do is sniff the wire if they're > searching for correct methodology. > > > Chris Paget wrote: > > > <sarcasm> > > I'd just like to thank FlashSky, Benjurry, and H D Moore for releasing this > > code. Really guys, sterling job. Now the skript kiddies and VXers have got > > virtually no work to do in order to write a worm that exploits this. > > </sarcasm> > > Only those who mistakenly believe that hiding information from the masses > will stop those who have the knowledge and intent to cause harm could feel > this way. > > > Personally, I'm tempted to set up my firewall to NAT incoming requests on port > > 135 to either www.metasploit.com or www.xfocus.org. I know this is the > > full-disclosure list, but working exploit code for an issue this huge is taking > > it a bit far, especially less than 2 weeks after the advisory comes out. > > It wouldn't matter if it were 2 months. > > > Cheers, fellas. When the worm comes out, I'll be thinking of you. > > Think of the joke sold to millions of people masquerading as an operating system > coded by unemployed vms programmers, and visual basic "experts" instead. > > Len > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
