[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1070323632.451.42.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: Comments on 5 IE vulnerabilities
On Mon, 2003-12-01 at 17:37, Thor Larholm wrote:
> Much ado has been made about those vulnerabilities and they have been
> covered in numerous places such as Forbes, NY Times and CNN. What this
> tells me is that we need a radically different approach than the status
> quo.
That's probably exactly WHY people stop informing Microsoft and hoping
for a patch and instead start to make these issue public. I believe that
a lot of folks are sick and tired to play this stupid patching game when
the vendor just doesn't learn. Ah, but you say...
> One such approach is to put more emphasis on education and secure
> coding, so that we can reliably prevent future threats. Another such
> approach is to focus on proactive security measures that prevent
> vulnerabilities and design flaws from having any effect in advance,
> prior to their discovery and publication.
Haven't we been saying this for years now? When does Microsoft learn and
change? How long do you propose this educational phase is gonna go on
further? Perhaps another 5 years? What shall we do then when things
still haven't changed because everyone (including Microsoft) is
comfortable with the current situation.
> As a final comment, I do believe that vulnerability researchers should
> notify vendors of potential vulnerabilities and give them some time to
> fix these before exposing the public to the dangers of those
> vulnerabilities. Posting demonstratory proof-of-concept code has served
> to apply pressure in the past towards unresponsive vendors, but not
> giving the vendors any chance to respond at all in the first place is
> simply irresponsible and jeopardizes the security of the Internet as a
> whole.
I used to agree with you but how long should we just wink with the fence
post? Don't you think it's time to spank some, especially IE?
Without radical measures, change will not happen. We need a more
dramatic shift. Personally, I like to see that dramatic shift performed
by Microsoft, but I'm not sure if that is going to happen. I guess we'll
just see how the recent security effort pan out, huh...
Maybe one solution for MS could be to unhook IE from the OS, slowly
distance itself from it and instead add a different browser, one that is
more secure, with less bells'n'whistles perhaps. They have abandoned and
replaced products in the past, perhaps it's time to do that with IE. (I
know I have -- exchanged IE for a different browser... for the most part
at least).
Cheers,
Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031201/9aa37a06/attachment.bin
Powered by blists - more mailing lists