[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <freemail.20031110134515.70655@fm2.freemail.hu>
From: etomcat at freemail.hu (Feher Tamas)
Subject: Re: Internet Explorer URL parsing vulnerability
Hello,
>don't start a disclosure - non disclosure thread again and again
>and again please...
This is about responsible and non-responsible disclosure, which is at
the heart of security research.
As long as you have no proof that the bug is being maliciously exploited
in the wild, you need to give time for the sw vendor to react and patch.
Considering the size of Microsoft (an organization of 50 FIFTY thousand
people), five workdays for an in-depth response and another two
weeks for a patch is the minimum lag one can expect even in the most
critical cases. As you know, IE is available natively localized in more
than 20 languages and each of them is a separate software, not just a
stub like in the Mozilla.
MS guys need time to produce and smoke-test those 20-something
hotfix files for a single exploit to release them at once. They cannot
prioritize by big or small market languages and indeed that would be
unethical. When they are ready, they will credit you with the discovery
on the MS Security Bulletin pages along with all the hotfixes download.
Of course, if the vendor just doesn't care to reply or the patch is
delayed indefinitely or you learn that the exploit is already actively
being used for evil purposes, you should disclose the problem.
However, one could then expect you to offer a practical solution or at
least workaround for the bug? I see nothing like that here. Just
criticizing is not a positive thing.
What Zap the Dingbat has done will not earn him a bust in the hall of
fame for security research.
Sincerely: Tamas Feher.
Powered by blists - more mailing lists