On 26 Dec 2008, at 20:18, Celierra Darling wrote:
On Fri, Dec 26, 2008 at 2:19 PM, <[email protected]>
wrote:
Vulnerabilities _do_ constitute an active risk regardless of
whether they
are disclosed or not, as people looking for them can (and will)
find them
eventually, and once they have, the details will spread explosively.
Exposing them before they are fixed at least gives users the chance
to
defend themselves before this happens, even if that means closing
down
systems.
I'm not sure this follows. There's a difference between exposing
enough details to exploit, reproduce, and fix a vulnerability, and
providing a way to prevent or mitigate possible exploits. I think
we're just talking about the former, i.e. to whom LL can give details
like "there exists a buffer overflow near llhippos.cpp:123, triggered
by sending a malformed LLSomeMessage". Disclosing the vulnerability
to everyone like that will not necessarily help with defense, and may
likely hinder it by decreasing the time one has to implement
workarounds.
I don't see how it would decrease the time one has to implement
workarounds, I'm afraid - could you elaborate? One can't implement a
workaround without actually knowing about an exploit, so the time will
always be less (than infinite) when one does know about it.
The question is whether exposing an exploit will mean somebody who
otherwise wouldn't now manages to exploit the exploit before the
victim can fix things. In practice I think history indicates that
discovered exploits tend to propagate through media quite apart from
security lists.
_______________________________________________
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/SLDev
Please read the policies before posting to keep unmoderated posting privileges
