[9665] in bugtraq
Re: [HERT] Advisory #002 Buffer overflow in lsof
daemon@ATHENA.MIT.EDU (Gene Spafford)
Fri Feb 19 16:53:33 1999
Date: Thu, 18 Feb 1999 21:41:16 -0500
Reply-To: Gene Spafford <spaf@CS.PURDUE.EDU>
From: Gene Spafford <spaf@CS.PURDUE.EDU>
X-To: Theo de Raadt <deraadt@cvs.openbsd.org>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Message from Theo de Raadt <deraadt@cvs.openbsd.org> of "Thu, 18
Feb 1999 17:11:41 -0700" <199902190011.RAA26284@cvs.openbsd.org>
> The REAL problem is software package maintainers who do not proactively
> audit their software.
That some vendors miss problems, or that software in widespread legacy use is
suddenly found to be vulnerable to a flaw is still not a reason to widely
publish a description of a potential attack before the vendor is notified.
Yes, some software could be written better. Yes, some vendors may do a poor
job of responding to reports.
Still, posting attacks or vulnerabilities that are in not in general
knowledge and are not being actively exploited and *before* the vendor has
been given a chance to respond is not being part of the solution. It is
arrogance or showing off.
People who really want to improve security find ways to avoid hurting victims
and increase protection. If there is a problem that is not known and not
under attack, notifying the vendor and waiting for a valid fix to appear is
not going to result in anyone being hurt. Posting an exploit widely for a
previously unknown problem suddenly opens up all the current users to attack.
That there is (perhaps) a problem in assurance does not forgive this problem.
Two wrongs do not make a right.
