| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: gr at eclipsed.net (gabriel rosenkoetter) Subject: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution On Tue, Feb 17, 2004 at 09:45:35PM -0800, morning_wood wrote: > http://news.com.com/2100-7355_3-5160566.html?part=rss&tag=feed&subj=news > http://www.snpx.com/cgi-bin/news5.cgi?target=www.newsnow.co.uk/cgi/NGoto/50814457?-2622 'Microsoft fixed the issue in later versions of Internet Explorer without telling consumers, a practice known in security circles as the "silent fix." Patching is always good, but the company should make sure that it informs the end users, said Chris Wysopal, vice president for research and development at digital security firm @Stake.' Oh, give me a break. Some developer went, "Oh, hey, I'm not bounds checking there. Okay, fix that," and the changes filtered out into the release of IE. You don't release "security patches" except in response to publication of a serious vulnerability, and especially in response to a problem that's systemic. This is *a* buffer overflow. Do we expect even Sun or Apple to tell us about every buffer overflow they fix? Hell, do we expect Linux or NetBSD to do so? C'mon, people. If you're going to be quoted for publication, try to make statements reasonable to the actual importance of the issues at hand. -- gabriel rosenkoetter gr@...ipsed.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040218/c4691e04/attachment.bin
Powered by blists - more mailing lists