lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu Apr 27 23:59:22 2006
From: trbilbro at verizon.net (Tim Bilbro)
Subject: MSIE (mshtml.dll) OBJECT tag vulnerability


>Why didn't I even try, you say? Past experiences of numerous
researchers
>aside, consider this: Microsoft takes 3-6 months to fix critical but
>non-public vulnerabilities in their flagship software (some of these
flaws
>must've been independently discovered by the rogues, hence putting
>customers at great risk, or at best taking chances). This is not a
>reasonable timeframe, compared to industry averages. Yet, they only
take
>2-4 weeks to fix publicly disclosed bugs - thus making software safer,
>sooner.

Nice of you to make that risk assessment for the entire IA community.
Thanks.

>You're making an argument for no disclosure and no accountability...

>...by saying that it sucks for infosec workers to have to do some
actual
>work, rush workarounds, write IDS signatures - based not on guesses,
>but on useful information...

>...and you're making this argument On a full disclosure mailing list.

>Bravo.

I have made no such arguments. My argument is that a responsible
researcher should give the vendor a chance to respond. If they don't
within a reasonable amount time, publish the vulnerability and document
the vendor's lack of response. Further, releasing a zero-day
vulnerability without giving a vendor any chance to respond does more
harm than good. That's my argument.

Sorry to crash the party here, but you guys aren't going to be able
release zero-day exploits without getting some flak from the folks who
have to respond to them. Free speech goes both ways, you know.

I'd say we're at a point of agreement on disagreeing at this point.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ