lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031210224925.GA19424@c9x.org>
From: j at pureftpd.org (Jedi/Sector One)
Subject: Re: Internet Explorer URL parsing vulnerability

On Wed, Dec 10, 2003 at 09:34:04PM +0000, petard wrote:
> It means balancing customer demand (the
> amount of money to be made) against the cost of fulfilling that demand

  To be fair, do you really think that fixing all currently known, but
still unfixed bugs would cost millions of dollars?

  Does hiring people like Lyu Die Lu costs millions of dollars?
  
  Do you seriously think that fixing the 0x01 issue requires more than 10
lines of code? And that releasing the binary patches takes months of hard
work and a lot of money?

  Yes, it means balancing customer demand against costs, but both have to be
in the same order of magnitude to be comparable. At a cost that is just like
zero for a corp like Microsoft, they could release a patch for the 0x01
issue in 24h. And in return they get more trust from users, which is
something they may need in the long term. But they don't care and they even
announced that no new fix will be released before 2004.

> So the answer is not "They simply don't want it fixed."

  Internet Explorer is a special case. It just sounds as if Microsoft
doesn't want to maintain the product any more since the very first version
of IE 6. As if some day, Bill said "ok, let's freeze everything. Stop
working on IE, just take the current state of the CVS tree and it will
remain the same during 10 years".

  There have been no actual improvement in Internet Explorer since the first
release of IE 6. No tabs, no proper PNG support while all other browsers do.
Worse : support for stylesheets really looks like unfinished work. Basic
features are missing, other are totally buggy. Webmasters need to waste time
in order to add tons of ugly hacks to let IE render something coherent.
These bugs are obvious, really nasty, discussed everywhere and dealing with
them costs money to people. Years after, nothing changed. And finally,
Microsoft officially announces that there will be no more IE release until
Longhorn (2008 ?).

  Critical functionnal bugs are left as is, critical security bugs are just
fixed occasionnally, and thanks to other people for finding them.

  Internet Explorer is obviously unmaintained software.
  
  Best regards,
  
-- 
 __  /*-    Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com>    -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ