lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041108130745.26466.qmail@web20227.mail.yahoo.com> From: visitbipin at yahoo.com (bipin gautam) Subject: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? ) huh! Reviewing all the latest IE advisories, i believe they are in a way attacking M$. So that its coutomers are forced to choose another browser... due to the security risks involved. I will rate it as a birth of "E" - GORILLA WAR stratigy? (o; of the minorities. Can a company sue a person, for publishing irresponsible sec. advisories as such? No offence. I just wanna know your views. Afterall, the haxor is reverse engineering the software. I don't know if M$ will ever fire a case against such ppl. in future with a propaganda, TO PROTECT ITS USERS? have your say? bipin gautam --- Berend-Jan Wever <skylined@...p.tudelft.nl> wrote: > Hi all, > > In response to statements found at > http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html > "Microsoft is concerned that this new report of a > vulnerability in > Internet Explorer was not disclosed responsibly, > potentially putting > computer users at risk," the company said in the > statement. "We believe > the commonly accepted practice of reporting > vulnerabilities directly to a > vendor serves everyone's best interests, by helping > to ensure that > customers receive comprehensive, high-quality > updates for security > vulnerabilities with no exposure to malicious > attackers while the patch > is being developed." > > About "responsible disclosure": > The origional vulnerability was found and disclosed > by ned. As far as I > know, ned only knew he had found something that > crashed MSIE: a bug. > Microsofts concerns would suggest two options: > 1) They expect everybody who finds a bug to > investigate the issue and act > according to the impact the problem might have on > security. I do not think > this is likely to happen unless everybody is > required to be a 1337 > ubergeek before they are allowed to use MS software. > It's a nice goal to > aim for, but not very realistic. > 2) You can not talk about your software crashing, > ever, unless it's to the > vendor: You might have stumbled upon a vulnerability > and if a malicous > attacker hears about it, he might use it. > > About "commonly accepted practice of reporting > vulnerabilities directly to > a vendor": > When did they arrest all the black-hats ? > > About "no exposure to malicious attackers while the > patch is being > developed": > Allthough I believe in responsible disclosure of > vulnerabilities, it DOES > NOT prevent malicious attackers to discover and > exploit the same > vulnerability while a patch is being developed. > Resonsible disclosure > decreases the chance of somebody hacking your system > while you are > vulnerable, it doesn't make it zero. > > Anybody who understands basic bufferoverflow > techniques will be able to > write an exploit for this vulnerability. I did it in > a few minutes, so how > hard can it be ? I do not feel I disclosed anything > new, I just saved a > lot of people the trouble of writing it themselves. > > The vulnerability has been rated "extremely > critical" since I released the > exploit. I say it was allready "extremely critical" > before ned disclosed > his information, only nobody knew it was there. It > was "extremely > critical" when ned did, but only a few could grasp > that. Then I explained > it was an easy to exploit bufferoverflow, it still > did not get much > attention. > Writing the exploit hasn't changed the flaw or it's > impact, it just > attracked the right amount of attention to the > problem. > > Cheers, > SkyLined > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.netsys.com/full-disclosure-charter.html > __________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com
Powered by blists - more mailing lists