[Dshield] 0-day exploit: Microsoft Internet Explorer "Msdds.d ll"Remote Code Exe cution Exploit

jayjwa jayjwa at atr2.ath.cx
Sat Aug 20 03:37:17 GMT 2005


On Thu, 18 Aug 2005, Johannes B. Ullrich wrote:

-> IMHO, the real question with respect to releasing / not releasing 0-day
-> is if it has been used in the wild.

I always want to know if anyone has found such a bug. What makes anyone 
think that they are the *only* ones that found said exploit? What if Mr. 
Joe Blackhat found that very same bug 4 weeks ago and just kept it to his 
close circle of friends? 4 weeks later (after 4 weeks of rooted boxes), 
then someone comes out and says, I just found a 0-day?

Non-disclosure helps only two groups:

1 blackhats that want to crack your system

or

2 companies that are worried about having to fix their broken OS
and have to spend money.


...because what you don't know most certainly can hurt you. Ask some of 
the people that post on Full Disclosure: more than once someone has come 
forth and said they reported something to Microsoft, only to have them 
deny that it was in fact a bug to be concerned with. Only *after* the 
fact, once a POC code was out did they start doing something. Actually 
(and I don't know for sure), if you think about it and look at this 
exploit, it bears resemblance to the work of the person that I am thinking 
of when I say that 'they deny that it was in fact a bug to be concerned 
with'.


As a user, and as a sysadmin I want to know the second that anyone finds 
anything that could compromise those systems I'm looking after. Not doing 
so is selfish of the person that discovers but won't disclose because then 
he is assuming he is the only one capable of finding said bug, and we just 
can't be garenteed that in every case. Tell me, then let me decided the 
best course of action: whether that means a patch, using a work-around, or 
just outright pulling the affected piece of software until it can be 
safetly re-started.


jayjwa


More information about the list mailing list