> Don't think CERT wants to publish ways to test for the hole. Know
> I don't want them to.
Agree with this position for several reasons. The first is that it is
enough to know that the hole exists and in what. If I need to know
exactly what the hole is, I know who to call. For most cases, applying the
patch is enough, once the hole is gone it does not really matter what it
was.
Second, some people seem to think that all "Bad Guys" read bugtraq or
are even intelligent. Not so just as the same does not apply to "Good
Guys" either. Publishing the details is just not necessary. It adds nothing
to the content of the warning (though IMHO they could be a bit speedier in
issuing the warning itself).
The point is that exploitation of a hole just requires knowlege of the
vulnerability & commands and not knowlege of why the hole works. IMNSHO
the CERT is providing a valuable service and has political reasons for
the way the notices are worded and their timing. Nothing is stopping
someone else from publishing their own with as much detail as they want.
Warmly,
Padgett
|
|
