lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon May  1 20:25:11 2006
From: trbilbro at verizon.net (Tim Bilbro)
Subject: MSIE (mshtml.dll) OBJECT tag vulnerability

Bkfsec wrote:

...

>"What you do usually see with full disclosure (likewise with patching),

>which is ironically dragged out as an argument against full disclosure,

>is that when a flaw is disclosed, you do see script kiddies coming out 
>of the woodwork making loud noises with automated bots mass-owning 
>systems.  Is this the fault of full disclosure?  Nope.  It's 
>inevitable.  "


I don't think it is inevitable. Think about browser DoS vulnerabilties.
An stealth blackhat wouldn't bother with that type of exploit. It's
brute force, messy, doesn't get you root and it's trackable to some
degree. But, lesser hackers will immediately adopt exploits that just
crash the browser for example. So, by publishing that type of exploit
and labeling it crtical you create a new requirement for mitigation that
wouldn't otherwise be there. 

Some have suggested a 'Vulnerability Escrow' A third party that tracks
and holds vulnerability discoveries and works with the vendor. I think
that is an idea worth exploring. 

Tim
iainsidethebeltway.typepad.org

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux