|Brian Vagnoni on 7 Feb 2008 18:41:36 -0800|
Though a windows example security is everyones business and just wondering what people think about this sort of operation.
I'm referring to an EWeek print article Dealing In Vulnerabilities Vol. 25 #4 Page 14 2/4/08. If you don't have the rag, it's talking about the Realplayer exploit discovered 12/16/07 and as of 1/31/08 still un-patched and Real Networks can't seem to find the exploit in their own code.
So what do people think about individuals/companies that specialize in breaking other peoples software for the purpose of selling the info for profit either back to the software manufacturer or other interested parties.
Is this fair game, good for software security, bottom feeding, or extortion? So what do you think about companies like Gleg featured in the article?
Time Line According to EWeek
12/16/07 Gleg ships RP exploit to subscribers of the VulnDisco exploit pack
1/01/08 Gleg release video of exploit
1/02/08 Realnetworks contacts Gleg to ask for flaw info. Gleg refuses
1/03/08 Carnegie Mellons CERT/CC issues an alert and attempts to get info from Gleg. Gleg refuses
1/31/08 Exploit still unpatched
Here is a video of the exploit http://www.gleg.net/realplayer11.html
PGP Digital Fingerprint
F076 6EEE 06E5 BEEF EBBD BD36 F29E 850D FC32 3955
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug