H D Moore on The Best Defense is Information

H D Moore, founder of the Metasploit project, writes about the need for vendors to come forward with information when faced with reports of exploits for their products.
The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case [Adobe PDF buffer overflow], like many others, the bad guys already won. Exploits are already being used in the wild and the fact that the rest of the world is just now taking notice doesn't mean that these are new vulnerabilities. At this point, the best strategy is to raise awareness, distribute the relevant information, and apply pressure on the vendor to release a patch.
Based on reports of samples collected by AV vendors as early as December 2008 and an expected patch in mid-March 2009, this attack vector will have had a cozy 3 month exploitation window, more than enough time to do targeted damage.

As of Feb 25, 2009, there are as of yet no good ways of dealing with this exploit other than not opening PDF files using the vulnerable software applications.

Updated on 2/25/2009 at 5pm CST: Adobe has released more info and is working with AV vendors. Patch still planned for March 11.

Src: The Best Defense is Information | Metasploit

No comments: