There's two sets of bad attitude going round and round in this thread. Heating the debate to pure sillyness.
One shown by the parties that understand how a buffer overflow with only zeroes can be exploited, but who until today have refused to even mention the theory behind it. Resorting to "if you don't understand this just shut up and patch your system". The other shown by the parties who don't understand how a buffer overflow with only zeroes can be exploited, and taken the position of "if I can't understand it, it can't exist". Today we've got the explaination. Now even I understand how this could be exploited. <<snip>> > Fact > remains that exploiting this issue requires creativity beyond > the pre-chewed papers. And that's why you're not seeing the regular > array of mediocre "hackers" producing exploit code. I'd like to > think that anyone who was capable of writing this exploit also > recognises the potential impact of releasing it. But the "array of mediocre hackers" also scream wolf quite often, causing admins of 24/365 system to be a bit selective on when to take the system down to patch. And with a weakness/exploit that 99% of even seasoned admins can't figure out how it can be an exploit it's not so hard to understand that several of us say "huh, can anyone explain how this can be an exploit". Badly expressed I'm afraid, coming across as "show me a working exploit and I'll patch, otherwise I'll regard this a a hoax", instead of "can anyone explain, in theory, how this could be exploited". End of thread I hope. // hdw _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
