In which Lindstrom gets served, and I hopefully get drunk.

Thomas Ptacek | August 11th, 2005 | Filed Under: Uncategorized

Hey, Thomas, Lindstrom says we can’t name an advisory that originated with a zero-day exploit! See?

C’mon, just point me to ONE major vendor patch bulletin that originated when you saw the vulnerability exploited in the wild before any good guys knew about it. Presumably, this exploit would have been the catalyst for discovery and disclosure by the good guys. I’ll definitely buy you a beer or 50 if you can do that.

Oh-no-he-DIH-int!

Peter, I’m happy with Bass, but if you can find me 50 bottles of Big Rock Grasshopper, that’d bring back nice memories of the night I spent reverse-engineering the captured, “in-the-wild” (gag) tooltalk exploit binary so I could write this advisory.

Want another example? Try rpc.statd, one of the most widely-distributed pre-disclosure vulnerabilities ever (and the bane of Sun operators for like 5 years).

3 Comments so far

  • Justin Mason

    August 18th, 2005 12:32 am

    gosh. I went back and edited the Wikipedia pages on bugtraq and the Full Disclosure movement, post the Lynn/Ciscogate thing, just to provide a resource to remind people of how *that* happened: the massively-exploited sendmail holes of CA-93:15.

    This article gives a good idea of the situation as I remember it:
    http://www.spirit.com/Network/net0800.html#section-1.1.

  • Pete

    September 26th, 2005 1:58 pm

    Tonight’s the night for beer. Contact me at petelind@spiresecurity.com for details, or check my blog.

  • ddz

    February 10th, 2006 12:24 pm

    May as well just add some recent ones to the list:
    * IIS/ntdll WebDAV (vulnerability was discovered as it was used against AirForce (?) web server)
    * Samba trans2open overflow (Digital Defense/HD Moore discovered it in captured packet traces)
    * WMF (yes this happened after this post, but it shows it is obviously still going on)

    • Leave a reply