lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1071086840.3456.3383.camel@localhost>
From: dan at losangelescomputerhelp.com (Daniel H. Renner)
Subject: Re: Internet Explorer URL parsing
	vulnerability

On Wed, 2003-12-10 at 08:54, John Sage wrote:
> Re: disclosure vs. non-disclosure and M$
> 
> On Wed, Dec 10, 2003 at 05:44:35AM -0800, S G Masood wrote:
> > From: S G Masood <sgmasood@...oo.com>
> > Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing
> >  vulnerability
> > To: Feher Tamas <etomcat@...email.hu>, full-disclosure@...ts.netsys.com
> > Date: Wed, 10 Dec 2003 05:44:35 -0800 (PST)
> > 
> > 
> > --- Feher Tamas <etomcat@...email.hu> wrote:
> > > Hello,
> > > 
> > > >don't start a disclosure - non disclosure thread
> > > again and again
> > > and again please...
> > > 

<snip>   PLEASE!

> > However, unfortunately, if you are familiar with the
> > pattern in which MS handled the previous unpatched IE
> > vulns, this looks like one of those IE vulns. that MS
> > *WONT* patch.
> 
> With the virtually unlimited resources (financially and staff-wise)
> available to Micro$oft, why has this sort of vulnerability been left
> undiscovered and unpatched by Micro$oft itself?
> 
> Put a hundred people on the task of identifying any URL oddities that
> IE currently accepts, and patch, patch, patch.
> 
> It would take less than a week to fix *all* of this sort of crap.
> 
> The fact that someone out in the community at large (once again)
> discovers a vuln and publishes it is just an ongoing symptom of the
> fundamental problem:
> 

<snip>

> 
> 
> - John


Why can't most people see the obvious?

Known facts:
a)  Company "A" has the resources to fix ANYTHING on this planet.
b)  _MANY_ people complain that company "A"'s product is "broken".
c)  Company "A" doesn't fix the product.

Conclusion?

Company "A"  DOESN'T  WANT  IT'S  PRODUCT  FIXED.

No esoteric or underlying marketing ploys or conspiracy theories need
apply (not that they don't, they just don't need to for these purposes.)

Think about it - if you had a car that smoked like crazy, and your
neighbors, the Clean Air Board and Mothers Against Drunk Driving were
ragging on you to fix it, and you had the money and time to do so, but
you still didn't - the _ONLY_ logical reason could be that you just
plain didn't want to.

You could put out PLENTY of good "reasons" (know in the corporate world
as Marketing) why you hadn't - but the bottom line is that you just
don't want to.

They simply don't want it fixed.  We can guess why, but they know why -
and they aren't telling.  Not a good sign...



-- 


Cheers,

Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ