One of the ongoing dilemmas in computer security research is how much information to disclose and when. It is generally accepted that the unwritten (or sometimes written, but not officially adopted as a "standard") code of ethics compels researchers to notify the vendor of the flawed product in private first and allow them some reasonable amount of time to address the issue before announcing the vulnerability to the public.
If you follow certain forums and message boards such as BugTraq you will often see explicit details of the various vulnerabilities as well as exploit code. The exploit code is often written as a proof-of-concept- intended to test for or prove the existence of the vulnerability rather than to be used to maliciously exploit the vulnerability. However, once its published on the Internet there is no way to control its use or keep it from being developed with malicious intent.
Security researchers fill a valuable and necessary role in the world of information security- helping vendors identify and fix security holes before those same holes are discovered and exploited by less scrupulous programmers. The good guys generally give the vendor a reasonable amount of time to produce a patch or update to fix the problem before publicly announcing their discovery.
Often, the exploit code is released at that point as well. Again, the intent is not to do harm as much as it is to allow security and network administrators a means for determining what machines on their network might be vulnerable or testing for the flaw on different platforms and configurations.
In theory- because the vendor has already been notified and the appropriate patch or security update is publicly available- this should be a "safe" thing to do. However, many people are unaware of or simply don't get around to applying the necessary fixes and therefore thousands of machines remain vulnerable to be maliciously attacked using the now public exploit code.
As discussed in this SecurityFocus.com article by Kevin Poulsen, well-known security researchers and vulnerability discoverers such as David Lichtfield of NGS Software and groups such as white-hat hackers LSD or computer security firm eEye have all voluntarily chosen to stop the practice of releasing exploit code.
If you follow certain forums and message boards such as BugTraq you will often see explicit details of the various vulnerabilities as well as exploit code. The exploit code is often written as a proof-of-concept- intended to test for or prove the existence of the vulnerability rather than to be used to maliciously exploit the vulnerability. However, once its published on the Internet there is no way to control its use or keep it from being developed with malicious intent.
Security researchers fill a valuable and necessary role in the world of information security- helping vendors identify and fix security holes before those same holes are discovered and exploited by less scrupulous programmers. The good guys generally give the vendor a reasonable amount of time to produce a patch or update to fix the problem before publicly announcing their discovery.
Often, the exploit code is released at that point as well. Again, the intent is not to do harm as much as it is to allow security and network administrators a means for determining what machines on their network might be vulnerable or testing for the flaw on different platforms and configurations.
In theory- because the vendor has already been notified and the appropriate patch or security update is publicly available- this should be a "safe" thing to do. However, many people are unaware of or simply don't get around to applying the necessary fixes and therefore thousands of machines remain vulnerable to be maliciously attacked using the now public exploit code.
As discussed in this SecurityFocus.com article by Kevin Poulsen, well-known security researchers and vulnerability discoverers such as David Lichtfield of NGS Software and groups such as white-hat hackers LSD or computer security firm eEye have all voluntarily chosen to stop the practice of releasing exploit code.
Source...