Brian Vagnoni on 7 Feb 2008 18:41:36 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] The Vulnerabilites Business....?

Though a windows example security is everyones business and just wondering what people think about this sort of operation.

I'm referring to an EWeek print article Dealing In Vulnerabilities Vol. 25 #4 Page 14 2/4/08. If you don't have the rag, it's talking about the Realplayer exploit discovered 12/16/07 and as of 1/31/08 still un-patched and Real Networks can't seem to find the exploit in their own code.

So what do people think about individuals/companies that specialize in breaking other peoples software for the purpose of selling the info for profit either back to the software manufacturer or other interested parties.

Is this fair game, good for software security, bottom feeding, or extortion? So what do you think about companies like Gleg featured in the article?


Time Line According to EWeek
12/16/07 Gleg ships RP exploit to subscribers of the VulnDisco exploit pack
1/01/08 Gleg release video of exploit
1/02/08 Realnetworks contacts Gleg to ask for flaw info. Gleg refuses
1/03/08 Carnegie Mellons CERT/CC issues an alert and attempts to get info from Gleg. Gleg refuses
1/31/08 Exploit still unpatched

Here is a video of the exploit

Brian Vagnoni

PGP Digital Fingerprint

F076 6EEE 06E5 BEEF EBBD BD36 F29E 850D FC32 3955
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --