From: etomcat at freemail.hu (Feher Tamas)
Subject: Re: Internet Explorer URL parsing vulnerability

Hello,

>don't start a disclosure - non disclosure thread again and again
>and again please...

This is about responsible and non-responsible disclosure, which is at 
the heart of security research.

As long as you have no proof that the bug is being maliciously exploited 
in the wild, you need to give time for the sw vendor to react and patch. 

Considering the size of Microsoft (an organization of 50 FIFTY thousand 
people), five workdays for an in-depth response and another two 
weeks for a patch is the minimum lag one can expect even in the most 
critical cases. As you know, IE is available natively localized in more 
than 20 languages and each of them is a separate software, not just a 
stub like in the Mozilla.

MS guys need time to produce and smoke-test those 20-something 
hotfix files for a single exploit to release them at once. They cannot 
prioritize by big or small market languages and indeed that would be 
unethical. When they are ready, they will credit you with the discovery 
on the MS Security Bulletin pages along with all the hotfixes download.

Of course, if the vendor just doesn't care to reply or the patch is 
delayed indefinitely or you learn that the exploit is already actively 
being used for evil purposes, you should disclose the problem.

However, one could then expect you to offer a practical solution or at 
least workaround for the bug? I see nothing like that here. Just 
criticizing is not a positive thing.

What Zap the Dingbat has done will not earn him a bust in the hall of 
fame for security research.

Sincerely: Tamas Feher.

Powered by blists - more mailing lists