lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: j at pureftpd.org (Jedi/Sector One)
Subject: Re: Internet Explorer URL parsing vulnerability

On Wed, Dec 10, 2003 at 09:23:40AM +0100, Feher Tamas wrote:
> Unless the bug has already been exploited by malicious people, it was 
> a highly irresponsible act to disclose it to the public, without giving 
> Microsoft a reasonable timeframe to produce a fix.

  People know that new critical flaws are discovered in Internet Explorer
every week, but keep using this product.

  Who is to blame here?   

> It may even qualify as a crime!

  In this case, Microsoft is the actual criminal.
  
  To bring back the traditionnal car-vs-software parallel... Imagine that
Ford is selling cars that are known to have serious defects. Every week a new
serial defect is found (and even not by the manufacturer but by an
individual). And because of these defects, thousands of people are already
dead. Now, the defect-of-the-week is that when you say "booh!" to a Ford car,
it explodes 10 minutes later.

  Now when a car explodes because of that flaw, who is to blame?
  
- People who keep buying those cars while knowing they are playing the russian
roulette? Obviously.

- Ford that still keeps selling these cars (fixing some reported flaws,
ignoring some others, not really carefully testing anything themselves
before products hit the market) ? Obviously.

- A kiddy who notices the "booh!" bug by mistake and tells his friends (so
that the problem is known to the public instead of being silent, waiting for
a vendor fix and imagining that because the fix is there, everyone in the
planet will immediately apply it)? Obviously not.

  Past the marketing "Microsoft now focuses on security" craptalk, the
current situation regarding Internet Explorer is still the same for years.
Use it without Qwik-fix, an antivirus, a firewall and strong reflexion
before clicking anywhere and you are still vulnerable to trivial flaws. So
instead of blaming whoever found the IE bugs of the week, just switch to
other browsers.

  Best regards,
  
-- 
 __  /*-    Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com>    -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ