Tim Bilbro wrote:
If a script kiddie wants to DoS a browser, there are very easy ways to do so without resorting to arcane tricks. Resource consumption/misuse has always been an easy game to master. I think that your example here is a very very poor one. It's like saying that the fork bomb is a well guarded secret.I don't think it is inevitable. Think about browser DoS vulnerabilties. An stealth blackhat wouldn't bother with that type of exploit. It's brute force, messy, doesn't get you root and it's trackable to some degree. But, lesser hackers will immediately adopt exploits that just crash the browser for example. So, by publishing that type of exploit and labeling it crtical you create a new requirement for mitigation thatwouldn't otherwise be there.
It's inevitable. If it's a known hole anywhere, it's a matter of time until it gets out. The issues that count, the ones that both black hats and script kiddies care about that get them access, they will always follow the pattern I laid out because it's beneficial to the skilled black hats to do it that way.
I think it's a horrible idea that only creates people with a vested interest in getting paid to hold vulnerabilities in secret. There's no way to enforce its usage and as such it will never result in a lack of disclosure. The "escrow" services will become targets of attacks and eventually, because greed always wins, this new flashy database of 0-days will be sold off to the highest bidder.Some have suggested a 'Vulnerability Escrow' A third party that tracks and holds vulnerability discoveries and works with the vendor. I thinkthat is an idea worth exploring.
I think it's a monumentally bad idea to collect all vulnerability data necessary for the company to fix their product in one place and leave it in the hands of people who only have a monetary goal in their holding of that data.
-bkfsec _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/