Are you saying that unless there's an exploit that gives you access to the target machine your company wouldn't patch (even if there's an exploit that crashes the target)?
I don't know what company that was, but I'm glad I'm not working for them... Ignoring DoS exploits is irresponsible... to say the least. kcq -----Original Message----- From: Harlan Carvey [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 3:37 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] no more public exploits and general PoC gui de lines Well, then the hole you get stuck in with that particular situation is systems going unpatched, b/c there is no exploit for the vulnerability. A company I used to work for was that way. Regardless of what security strongly recommended, patches weren't being installed in a timely manner...largely b/c there were no reports of actual exploit code being released. However, a customer insisted that the patches be installed ASAP...the logic used by the sysadmins didn't jive. > Having proof of concept code is always valuable > (and the sooner the better), > but I question releasing exploits that execute code > on the target machine. Having a DoS PoC is enough... > The legitimate pentesters will be able to modify the > PoC to execute code on the target while, at the same > time, the "kiddies" will be stuck with something of > little or no use to them. This way everybody is > happy. > Some of you might say that some "kiddies" will be > able > to modify the DoS PoC to execute code for their > malicious > needs. Well, if this is the case, then we are no > longer > dealing with "kiddies"... If they can do this then > they > are capable of creating their own exploits... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
