[Full-Disclosure] When do exploits get used?

[Paul Schmehl <pauls@xxxxxxxxxxxx>]

--On Monday, March 22, 2004 05:04:43 PM +0000 Ben Laurie 
<ben@xxxxxxxxxxxxx> wrote:

Note: I changed the subject to more accurately reflect the discussion.
> > This is foolish thinking.  Do you really think that, when a patch comes
> > out, *then* the hackers start working on exploits?  The exploits were
> > being used *long* before the patch comes out.  The only thing a patch
> > gets you is protection against *future* hack attempts against *that*
> > weakness.
>
> This is demonstrably not true - it depends who finds the problem.
So, it's not true, except it depends?  Then it is true.

Not *every* exploit comes out after a patch is released, but it's a fact 
that *some* exploits are in use long before a "researcher" reports them to 
a vendor and/or a patch comes out.

To think otherwise is foolish, as I said.  If one isn't paranoid, one 
probably doesn't belong in the security field.  If you're sitting back 
thinking you're safe because you're patched and you patch quickly, then 
you're unalert and exposed.

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html