lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <freemail.20031110134515.70655@fm2.freemail.hu>
From: etomcat at freemail.hu (Feher Tamas)
Subject: Re: Internet Explorer URL parsing vulnerability

Hello,

>don't start a disclosure - non disclosure thread again and again
>and again please...

This is about responsible and non-responsible disclosure, which is at 
the heart of security research.

As long as you have no proof that the bug is being maliciously exploited 
in the wild, you need to give time for the sw vendor to react and patch. 

Considering the size of Microsoft (an organization of 50 FIFTY thousand 
people), five workdays for an in-depth response and another two 
weeks for a patch is the minimum lag one can expect even in the most 
critical cases. As you know, IE is available natively localized in more 
than 20 languages and each of them is a separate software, not just a 
stub like in the Mozilla.

MS guys need time to produce and smoke-test those 20-something 
hotfix files for a single exploit to release them at once. They cannot 
prioritize by big or small market languages and indeed that would be 
unethical. When they are ready, they will credit you with the discovery 
on the MS Security Bulletin pages along with all the hotfixes download.

Of course, if the vendor just doesn't care to reply or the patch is 
delayed indefinitely or you learn that the exploit is already actively 
being used for evil purposes, you should disclose the problem.

However, one could then expect you to offer a practical solution or at 
least workaround for the bug? I see nothing like that here. Just 
criticizing is not a positive thing.

What Zap the Dingbat has done will not earn him a bust in the hall of 
fame for security research.

Sincerely: Tamas Feher.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ