On Fri, Dec 26, 2008 at 3:27 PM, <[email protected]> wrote: > One can't implement a workaround without > actually knowing about an exploit...
There are plenty of cases where one can release a workaround or patch without giving away how to exploit the vulnerability. One example is the Kaminsky-found DNS hole (patch: randomize ports). Another is the Quicktime-to-SL hole (workaround: disable playback via Quicktime). Although you get notified that there *exists* a vulnerability somewhere there, you're not getting details at the level of "the bug is at llhippos.cpp:123....". The logic goes, if you release only the workarounds to the public instead of the exploit details, you make crackers' lives a bit harder, and so give your users more time to apply the patches/workarounds before exploits get into the wild. > The question is whether exposing an exploit will mean somebody who otherwise > wouldn't now manages to exploit the exploit before the victim can fix > things. In practice I think history indicates that discovered exploits tend > to propagate through media quite apart from security lists. I don't see why an early disclosure group would be much of a hindrance in a zero-day case. Suppose an exploit is floating in the wild already, and LL for some reason does early disclosure anyway. Then at least one of the teams of developers (third party and/or LL) would likely think up some sort of patch or workaround. If nobody can figure out how to mitigate it (which would be rather extraordinary!), then I don't see why they wouldn't immediately go for public help in coming up with one. Are you worried about the delay between the two, or am I missing something? If you are, then perhaps all that's needed is recognition that in a case where an exploit is already actively going around, there's not much gain in releasing to a limited group first (since 'they' already have the exploit). But I'd think that to be rather self-evident, to be honest. Celierra _______________________________________________ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/SLDev Please read the policies before posting to keep unmoderated posting privileges
