| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dan at losangelescomputerhelp.com (Daniel H. Renner) Subject: Re: Internet Explorer URL parsing vulnerability On Wed, 2003-12-10 at 08:54, John Sage wrote: > Re: disclosure vs. non-disclosure and M$ > > On Wed, Dec 10, 2003 at 05:44:35AM -0800, S G Masood wrote: > > From: S G Masood <sgmasood@...oo.com> > > Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing > > vulnerability > > To: Feher Tamas <etomcat@...email.hu>, full-disclosure@...ts.netsys.com > > Date: Wed, 10 Dec 2003 05:44:35 -0800 (PST) > > > > > > --- Feher Tamas <etomcat@...email.hu> wrote: > > > Hello, > > > > > > >don't start a disclosure - non disclosure thread > > > again and again > > > and again please... > > > <snip> PLEASE! > > However, unfortunately, if you are familiar with the > > pattern in which MS handled the previous unpatched IE > > vulns, this looks like one of those IE vulns. that MS > > *WONT* patch. > > With the virtually unlimited resources (financially and staff-wise) > available to Micro$oft, why has this sort of vulnerability been left > undiscovered and unpatched by Micro$oft itself? > > Put a hundred people on the task of identifying any URL oddities that > IE currently accepts, and patch, patch, patch. > > It would take less than a week to fix *all* of this sort of crap. > > The fact that someone out in the community at large (once again) > discovers a vuln and publishes it is just an ongoing symptom of the > fundamental problem: > <snip> > > > - John Why can't most people see the obvious? Known facts: a) Company "A" has the resources to fix ANYTHING on this planet. b) _MANY_ people complain that company "A"'s product is "broken". c) Company "A" doesn't fix the product. Conclusion? Company "A" DOESN'T WANT IT'S PRODUCT FIXED. No esoteric or underlying marketing ploys or conspiracy theories need apply (not that they don't, they just don't need to for these purposes.) Think about it - if you had a car that smoked like crazy, and your neighbors, the Clean Air Board and Mothers Against Drunk Driving were ragging on you to fix it, and you had the money and time to do so, but you still didn't - the _ONLY_ logical reason could be that you just plain didn't want to. You could put out PLENTY of good "reasons" (know in the corporate world as Marketing) why you hadn't - but the bottom line is that you just don't want to. They simply don't want it fixed. We can guess why, but they know why - and they aren't telling. Not a good sign... -- Cheers, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700
Powered by blists - more mailing lists