lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: ricardo at microhardbr.com.br (Ricardo Moura)
Subject: Re: Internet Explorer URL parsing
 vulnerability

On Wed, 10 Dec 2003 14:05:47 +0059
Jedi/Sector One <j@...eftpd.org> wrote:

> On Wed, Dec 10, 2003 at 09:23:40AM +0100, Feher Tamas wrote:
> > Unless the bug has already been exploited by malicious people, it was 
> > a highly irresponsible act to disclose it to the public, without giving 
> > Microsoft a reasonable timeframe to produce a fix.
> 
>   People know that new critical flaws are discovered in Internet Explorer
> every week, but keep using this product.
> 
>   Who is to blame here?   
> 
> > It may even qualify as a crime!
> 
>   In this case, Microsoft is the actual criminal.
>   
>   To bring back the traditionnal car-vs-software parallel... Imagine that
> Ford is selling cars that are known to have serious defects. Every week a new
> serial defect is found (and even not by the manufacturer but by an
> individual). And because of these defects, thousands of people are already
> dead. Now, the defect-of-the-week is that when you say "booh!" to a Ford car,
> it explodes 10 minutes later.
> 
>   Now when a car explodes because of that flaw, who is to blame?
>   
> - People who keep buying those cars while knowing they are playing the russian
> roulette? Obviously.
> 
> - Ford that still keeps selling these cars (fixing some reported flaws,
> ignoring some others, not really carefully testing anything themselves
> before products hit the market) ? Obviously.
> 
> - A kiddy who notices the "booh!" bug by mistake and tells his friends (so
> that the problem is known to the public instead of being silent, waiting for
> a vendor fix and imagining that because the fix is there, everyone in the
> planet will immediately apply it)? Obviously not.
> 
>   Past the marketing "Microsoft now focuses on security" craptalk, the
> current situation regarding Internet Explorer is still the same for years.
> Use it without Qwik-fix, an antivirus, a firewall and strong reflexion
> before clicking anywhere and you are still vulnerable to trivial flaws. So
> instead of blaming whoever found the IE bugs of the week, just switch to
> other browsers.

well said :-]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ