Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Internet Explorer / Outlook / Microsoft Office private exploit request

From: Valdis.Kletnieks () vt edu
Date: Thu, 16 Jun 2005 11:38:21 -0400
On Thu, 16 Jun 2005 10:37:55 +0200, metesi said:


If you have, or you think you could get within few weeks, a
undisclosed/unpublished vulnerability (that have to stay private) just
contact us.


Even if the 0-day *is* used for "ethical pen-tests", you can't guarantee
that the use of said exploit will be able to "have to stay private".  There's
always the chance that an alert sysadmin will spot the use of the 0-day and
the ensuing investigation exposes it to the world.

The only way to guarantee that it stays private is:

1) Don't use it.  There's always the chance that it will be detected.
2) Don't give a copy to "trusted friends".  There's always the chance that
your trusted friend shouldn't have been trusted.
3) Don't tell anybody you have a 0-day.  There's always the chance some black
hat will use *his* 0-day to hack your box and steal yours.

And even then, it's not 100% guaranteed....

Attachment: _bin
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: