Friday, July 25, 2008

The Metasploit DNS vulnerability exploit

Andy IT Guy posed an interesting question and added a poll to it: Should HD Moore have released a Metasploit exploit for the recent DNS vulnerability? I starting my response as a comment to Andy's post, but since my comments tend to run long, I figured I'd make it a post of itself here.

Many people have responded:
If you can tell, with absolute certainty, that systems are vulnerable to an exploit without needing to test the mechanism, what good is served by releasing weaponized attack code immediately after patches are released, but before most enterprises can patch?
Source: Rich Mogull


POC code for near-zero day 'sploits is like SPAM advertising penis-extending drugs...the only dick it's helping is the one writing it...

Source: Christopher Hoff


My principal feeling on this issue is that it is indeed a good thing to have the exploit available in Metasploit.

However, Andy's question has two components: 1) should metasploit have the DNS exploit (YES!), and 2) Was the timing to release it correct.

I already answered the first part of the question. The answer to the timing being correct revolves around one thing: adding an exploit to Metasploit after it has been seen in the wild is one thing, but taking the lead in developing it is not the wisest thing to do.
Metasploit has developed into a platform that is so well-built and easy to operate that it has become very dangerous to put a new sort of ammunition in it.
If the exploit was out in the wild already, and that fact was indeed confirmed, HD Moore's decision to release was valid. If the exploit wasn't out in the wild yet, the release was irresponsible. By releasing the code, we made the lives of the bad guys easier and that is not our job.
I have no doubt that the exploit would have been available soon if HD Moore had not released his, but when a platform such as Metasploit reaches so many people, giving them the necessary tools to do bad things is not the most responsible form of full disclosure.
Being in the public spotlight brings consequences, and sometimes that means that you have to be the responsible person.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.