lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1070323632.451.42.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: Comments on 5 IE vulnerabilities

On Mon, 2003-12-01 at 17:37, Thor Larholm wrote:
> Much ado has been made about those vulnerabilities and they have been
> covered in numerous places such as Forbes, NY Times and CNN. What this
> tells me is that we need a radically different approach than the status
> quo. 

That's probably exactly WHY people stop informing Microsoft and hoping
for a patch and instead start to make these issue public. I believe that
a lot of folks are sick and tired to play this stupid patching game when
the vendor just doesn't learn. Ah, but you say...

> One such approach is to put more emphasis on education and secure
> coding, so that we can reliably prevent future threats. Another such
> approach is to focus on proactive security measures that prevent
> vulnerabilities and design flaws from having any effect in advance,
> prior to their discovery and publication. 

Haven't we been saying this for years now? When does Microsoft learn and
change? How long do you propose this educational phase is gonna go on
further? Perhaps another 5 years? What shall we do then when things
still haven't changed because everyone (including Microsoft) is
comfortable with the current situation.


> As a final comment, I do believe that vulnerability researchers should
> notify vendors of potential vulnerabilities and give them some time to
> fix these before exposing the public to the dangers of those
> vulnerabilities. Posting demonstratory proof-of-concept code has served
> to apply pressure in the past towards unresponsive vendors, but not
> giving the vendors any chance to respond at all in the first place is
> simply irresponsible and jeopardizes the security of the Internet as a
> whole.

I used to agree with you but how long should we just wink with the fence
post? Don't you think it's time to spank some, especially IE?

Without radical measures, change will not happen. We need a more
dramatic shift. Personally, I like to see that dramatic shift performed
by Microsoft, but I'm not sure if that is going to happen. I guess we'll
just see how the recent security effort pan out, huh...

Maybe one solution for MS could be to unhook IE from the OS, slowly
distance itself from it and instead add a different browser, one that is
more secure, with less bells'n'whistles perhaps. They have abandoned and
replaced products in the past, perhaps it's time to do that with IE. (I
know I have -- exchanged IE for a different browser... for the most part
at least).

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031201/9aa37a06/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ