| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: frank at knobbe.us (Frank Knobbe) Subject: Comments on 5 IE vulnerabilities On Mon, 2003-12-01 at 17:37, Thor Larholm wrote: > Much ado has been made about those vulnerabilities and they have been > covered in numerous places such as Forbes, NY Times and CNN. What this > tells me is that we need a radically different approach than the status > quo. That's probably exactly WHY people stop informing Microsoft and hoping for a patch and instead start to make these issue public. I believe that a lot of folks are sick and tired to play this stupid patching game when the vendor just doesn't learn. Ah, but you say... > One such approach is to put more emphasis on education and secure > coding, so that we can reliably prevent future threats. Another such > approach is to focus on proactive security measures that prevent > vulnerabilities and design flaws from having any effect in advance, > prior to their discovery and publication. Haven't we been saying this for years now? When does Microsoft learn and change? How long do you propose this educational phase is gonna go on further? Perhaps another 5 years? What shall we do then when things still haven't changed because everyone (including Microsoft) is comfortable with the current situation. > As a final comment, I do believe that vulnerability researchers should > notify vendors of potential vulnerabilities and give them some time to > fix these before exposing the public to the dangers of those > vulnerabilities. Posting demonstratory proof-of-concept code has served > to apply pressure in the past towards unresponsive vendors, but not > giving the vendors any chance to respond at all in the first place is > simply irresponsible and jeopardizes the security of the Internet as a > whole. I used to agree with you but how long should we just wink with the fence post? Don't you think it's time to spank some, especially IE? Without radical measures, change will not happen. We need a more dramatic shift. Personally, I like to see that dramatic shift performed by Microsoft, but I'm not sure if that is going to happen. I guess we'll just see how the recent security effort pan out, huh... Maybe one solution for MS could be to unhook IE from the OS, slowly distance itself from it and instead add a different browser, one that is more secure, with less bells'n'whistles perhaps. They have abandoned and replaced products in the past, perhaps it's time to do that with IE. (I know I have -- exchanged IE for a different browser... for the most part at least). Cheers, Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031201/9aa37a06/attachment.bin
Powered by blists - more mailing lists