lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <46A070C8.3060305@outpost24.com>
Date: Fri, 20 Jul 2007 10:22:32 +0200
From: Chris Stromblad <cs@...post24.com>
To: "\"Zow\" Terry Brugger" <zow@...l.gov>
Cc: Gadi Evron <ge@...uxbox.org>, bugtraq@...urityfocus.com
Subject: Re: Internet Explorer 0day exploit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Zow Terry Brugger wrote:
>> ideal world. Many of the advisories I look at almost always cover the
>> same type of vulnerability. Shouldn't we have learned by now, if we
>> consider your argument?
> 
> It's been a while, but one of the great things I've seen Bugtraq used for is 
> to look at the distribution of vulnerabilities. In the past few years, my 
> perception is that there's been a decline in the number of buffer overflow 
> attacks and most of what we see today are web attacks like cross-site 
> scripting and remote file injection. Seeing these trends is important because 
> it tells us as a community where we need to focus our efforts.
> 
>> However, perhaps one/I just need to shift the way I look at advisories.
>> Rather than seeing them as "late" and "out-of-date", they could be an
>> additional source of information about a particular system. I'll accept
>> that.
> 
> That too. Let me tell you, if I ever need to set up a web forum for 
> something, I'm going to look at Bugtraq to see what the track record is for 
> the systems I'm considering.
> 
>> are almost at the verge of being completely void. A remedy for that
>> would be to have the security community agree on a common "advisory
>> protocol" that defines a guideline for contents in an advisory. Anyways,
> 
> Great idea! Much like the RFP vendor notification policy (Which I haven't 
> seen mentioned in a while, so I encourage everyone doing vulnerability 
> research to see http://www.wiretrip.net/rfp/policy.html). Anyone care to 
> propose a template (presumably if someone who the community respects does so, 
> it's more likely to catch on)?

Yes, ideally if someone with a bit of community credibility could step
up and propose a standard that certainly would kick start it a little bit.

Another great benefit of such a template would be consistency in layout
and contents. Also to improve the educational value of an advisory it
would be neat if an appropriate code-segment of the vulnerability could
be included. Now people will argue the whole intellectual property
aspect but I seriously doubt that 3-5 lines of code are going to affect
anything.

Let's do something about this!

> 
> Terry
> 
> import standard.disclaimer;
> 

- --
Chris Stromblad (CEH)
Head of Security Services
Outpost24 UK

90 Long Acre
Covent Garden
London, WC2 E9RZ

- -------------------------
Tel: +44 (0) 207 849 3097
Dir: +44 (0) 208 099 6595
Fax: +44 (0) 207 849 3140
- -------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGoHDI+CG0a/ZJxn8RAhHEAJ437PJf7shw7gmnivqncIXEF4dZbQCgpaTK
3zxJsLOTxwb+TffwDQYsO6U=
=7uds
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ