24 hours after sending the code to the list, I still beleive it was the right thing to do, being already published on the web (metasploit.com) and refered to in news article (news.com). From then, it was only a matter of hours until someone spill the beans to a mailling list, as I did.
the 2 weeks "grace" period being too short makes no real difference in the outcome, microsoft products need to be constantly updated,and thats a fact. People hit by slammer last year had plenty of time (6 month) to patch their system, working exploit code was available from the begining thru cnhonker.com to exploit MS02-039 month before slammer speaded on the web, result ? most of MSSQL servers on the net were still vulnerable when the public exploit became so "mainstream" that someone wrote a worm for it. Code being availlable to exploit a vuln is only a matter of time, sometime days (latest cisco vuln) and sometime weeks (webdav)... but history has proven us that even with a 6 month "grace" period, many systems remain vulnerable. If it wasnt of that necessary evil that fulldisclosure is, we would still be running vulnerable version of sendmail with the WIZ command enable by defalut. (doh) Matt LaFlamme FD supporter Georgi Guninski wrote: > Chris Paget wrote: > >> Personally, I'm tempted to set up my firewall to NAT incoming requests on port >> 135 to either www.metasploit.com or www.xfocus.org. I know this is the >> full-disclosure list, but working exploit code for an issue this huge is taking >> it a bit far, especially less than 2 weeks after the advisory comes out. >> > > IMHO releasing the exploit is ethical and legal. > The root of the problem is m$, they should take responsibility for the worms. > IIRC the m$ EULA states something like "the product is not fit for any purpose". So the exploit is consistent with the m$ EULA, I can't understand why you whine. > btw, Terry Pratchett has very good writings on IT EULA's and practices - check "Good Omens" and a disc world book mentioning a disorganizer. > > georgi > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ----------------------------------------- This email was sent using FREE Catholic Online Webmail. http://webmail.catholic.org/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
