The practice of disclosing proof-of-concept (PoC) exploits has long caused a debate in the security community. As the name suggests, these outline steps used to exploit a vulnerability in a system to show how it can be done — and are used to test networks and pinpoint vulnerable aspects of a system. But publicly released PoCs also make it easier for criminals to exploit vulnerabilities before they are patched.
Just this past week, a slew of PoC exploits were published for various vulnerabilities, including ones for a recently patched crypto-spoofing vulnerability found by the National Security Agency (NSA) and reported to Microsoft; and for critical flaws impacting the Cisco Data Center Network Manager tool for managing network platforms and switches.
Other PoC code was recently released for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products. And, there was a PoC that “fully and practically” breaks the Secure Hash Algorithm 1 (SHA-1) code-signing encryption.
Are PoC exploit releases good or bad? Does it depend on the context? Do they make us safer? You can weigh in below with our Threatpost poll.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.