lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: dave at immunitysec.com (Dave Aitel)
Subject: MSIE src&name property disclosure

Michal Zalewski wrote:

>On Mon, 8 Nov 2004, Berend-Jan Wever wrote:
>
>  
>
>>In response to statements found at
>>http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html
>>    
>>
>
>Yup.
>
>But what amuses me most, is the following bit:
>
>  "Microsoft has begun to investigate the Iframe vulnerability and has not
>  been made aware of any program designed to exploit the flaw, the company
>  said in an e-mail statement to CNET News.com."
>
>When you posted your first message confirming that the problem is
>exploitable, I forwarded it to secure@...rosoft.com, so that they know
>they have a problem in case they do not read Full-Disclosure. I got no
>response. Later, when you posted a working exploit, I sent them another
>forward, including a remark it is probably a good idea to react now, if
>they failed to do so before.
>
>In response, I got a mail from "Lennart" of Microsoft Security Response
>Center, saying that they are aware of the problem and read mailing lists,
>and that my original mail simply got lost in the noise.
>
>Several days later, this statement surfaces in an article, showing beyond
>any doubt that they are, quite simply, lying to the public to save face
>and gain time.
>
>As much as I am not a rabid Microsoft hater, this pissed me off more than
>a bit.
>
>  
>
The really insidious thing is how they always attempt to claim that 
their version of disclosure policy is "commonly accepted" when nothing 
could be further from the truth. The security community, including most 
security consulting companies, follows a wide range of policies. Most of 
these policies have very little in common with Microsoft's policy, which 
they call "Responsible Disclosure (tm)." Of course, they themselves do 
not practice responsible disclosure to their customers. If they did, 
then EVERY vulnerability they discovered internally would be in an 
advisory. This is how it is done in organizations that truly do want to 
protect their customers, such as the Linux community.

This is another reason why studies comparing Microsoft's security to 
Open Source security are always bizzare. They compare the entire set of 
Linux vulnerabilities to a tiny subset of the bugs Microsoft knows 
about, but pretends other people don't. WINS is a classic example.

Dave Aitel
Immunity, Inc.


Powered by blists - more mailing lists