| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20031210165438.GV1192@sparky.finchhaven.net> From: jsage at finchhaven.com (John Sage) Subject: Re: Internet Explorer URL parsing vulnerability Re: disclosure vs. non-disclosure and M$ On Wed, Dec 10, 2003 at 05:44:35AM -0800, S G Masood wrote: > From: S G Masood <sgmasood@...oo.com> > Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing > vulnerability > To: Feher Tamas <etomcat@...email.hu>, full-disclosure@...ts.netsys.com > Date: Wed, 10 Dec 2003 05:44:35 -0800 (PST) > > > --- Feher Tamas <etomcat@...email.hu> wrote: > > Hello, > > > > >don't start a disclosure - non disclosure thread > > again and again > > and again please... > > > > This is about responsible and non-responsible > > disclosure, which is at > > the heart of security research. > > > > As long as you have no proof that the bug is being > > maliciously exploited > > in the wild, you need to give time for the sw vendor > > to react and patch. > > If you are talking about a generic ethic, I sincerely > agree. Slight deviations on this concept might apply > depending on the vendor's track record and the > vulnerability (I am not talking about MS alone). > > However, unfortunately, if you are familiar with the > pattern in which MS handled the previous unpatched IE > vulns, this looks like one of those IE vulns. that MS > *WONT* patch. With the virtually unlimited resources (financially and staff-wise) available to Micro$oft, why has this sort of vulnerability been left undiscovered and unpatched by Micro$oft itself? Put a hundred people on the task of identifying any URL oddities that IE currently accepts, and patch, patch, patch. It would take less than a week to fix *all* of this sort of crap. The fact that someone out in the community at large (once again) discovers a vuln and publishes it is just an ongoing symptom of the fundamental problem: Micro$oft is involved with "Trustworthy Computing" only so much as it plays well in a press release, and freely accepts the status quo only so long as it doesn't negatively affect the bottom line. - John -- "Most people don't type their own logfiles; but, what do I care?" - John Sage: InfoSec Groupie - ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus- - ATTENTION: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head.
Powered by blists - more mailing lists