[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerabilities in some SCADA server softwares

On Wed, Mar 23, 2011 at 02:36:38PM -0400, J. Oquendo wrote:
> On 3/23/2011 2:13 PM, Theo de Raadt wrote:
> >> If *any* threat exists,
> >> that threat is increased by public exposure of unmitigated attack
> >> methodology
> > I think you have it wrong.
> >
> > Public exposure increases the visibility, and therefore customers
> > install the patches quicker.
> >
> > Without public visibility, they will keep running the old code.
> You're flawed in your response: "Public exposure increases the
> visibility, and therefore customersinstall the patches quicker." ...
> When someone "full discloses" a vulnerability, there is no patch to
> install quicker.

That does not change the fact that the bug might already have been
exploited for a long time. Without the disclosure, the vendor has
the possibility to guess that it's not the case and take a long time
to fix it. After the disclosure, this possibility vanishes and he has
to work for a fix.

Also, if vulnerabilities were waiting for disclosure to be exploited
in such environments, Stuxnet would not have existed *before* Luigi's
post, only after. Recent facts have proven you wrong here.

Granted now there's emergency and we'll possibly get poor quality
patches or workarounds in the first time. At least if some of these
vulns are currently actively being exploited, we can expect those
exploits to quickly stop from now on.