Update: TQBF weighs in below with a comment: "I don’t understand. Wouldn’t we be better off if he didn’t disclose those details?" Answer: Of course not. My entire point is that we should be seeking out and destroying (or at least neutralizing) these capabilities rather than spinning wheels with the comfort food being fed to us by white hats. It is the "in-the-wild exploit against an undercover vulnerability" that I want everyone to focus on.
Adam at Emergent Chaos says:
"to Pete’s question about how I know that there’s lots of exploit code, it’s easy. I’ve worked for organizations that took security seriously enough to detect and analyze new attacks. We regularly saw people exploiting unannounced flaws in our systems."
We are at a point in time in the security world where details like this are extremely helpful, and there are people who could actually make good use of them. I can only hope that Adam sees fit to provide some details, any details.
Not to badger, but we are still stuck with words that are often used in vague ways. I can’t help it that many people in our profession are stuck in the "I’d tell you but I’d have to kill you" frameset. In this case, "regularly" and "unannounced" fit the bill, as does the possessive form "our systems" which often implies configuration weaknesses or custom app layer attacks rather than the ones attacking flaws in commercial platforms.
I don’t understand. Wouldn’t we be better off if he didn’t disclose those details?
Lindstrom’s Indemnification
Pete Lindstrom has very nicely offered to indemnify me, and pay my outrageous consulting fees when no one else will, if only I break NDAs and disclose which 0day exploits were used against which of my clients. Well, the…