mailing list archives
From: "Drew Copley" <dcopley () eEye com>
Date: Thu, 1 Jul 2004 12:58:01 -0700
From: Blue Boar [mailto:BlueBoar () thievco com]
Sent: Thursday, July 01, 2004 12:51 PM
To: Drew Copley
Cc: Robin Landis; bugtraq () securityfocus com;
full-disclosure () lists netsys com; ntbugtraq () listserv ntbugtraq com
Subject: Re: [Full-disclosure] RE:
Drew Copley wrote:
I contend that the fact that the very same people are
reporting bugs does not mean that they are the only ones
finding them. Nor does it mean that only an expert might
find them. Nor does it mean that all experts would be
inclined to report them.
Great. Based on what evidence.
Didn't a couple of the recent IE holes come to light because
first publically found in the wild?
There has been one true zero day in IE.
This was the recent spyware issue, later converted to work
for some credit card scammers in Scob.
There was a substantial zero day in IIS. The webdav bug, which
was found when it was being used to attack military systems.
The zero day in IE, utilized known vulnerabilities to work,
without it, it could not have worked. That is out of several
years of many people - and many talented people - pounding
The IE zero day issue is not surprising because IE researchers
receive and have received a lot of large money offers in
the recent past.
The webdav issue used exploit code which is extremely similiar
to exploit code found by some of the best Chinese hackers
on the planet.
None of these are people outside of the social circles of
other security researchers.
Full-Disclosure - We believe in it.
- RE: RE: Drew Copley (Jul 01)