At 3/3/2003 03:57 PM, Michel Arboi wrote: >Some time ago, I was digging into CVE and I wondered if we shouldn't >test very old vulnerabilities (because we do not. Not *all* of them) >Two reasons for yes: >1. An archeocomputer may have been lost in a corner of a network. >2. People never learn, and old bugs tend to pop up sooner or later > >One reason for no: >why bother? We have enough new vulnerabilities now. Michel, Short answer: Yes, definitely. Long answer: Given limited resources, it makes sense to prioritize and go after the most critical vulnerabilities first. To me, critical is defined as high-risk and widespread (the new Sendmail vulnerability is a good example). But I still want to know about _any_ vulnerability on any system, no matter how old. While the script kiddies are unlikely to target old vulnerabilities, a determined attacker is going to find and exploit any vulnerability to gain unauthorized access or do harm. Michael Katz mikeat_private Procinct Security
This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 16:24:11 PST