lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <44524471.1080204@lava.net>
Date: Fri Apr 28 17:36:11 2006
From: prb at lava.net (Peter Besenbruch)
Subject: MSIE (mshtml.dll) OBJECT tag vulnerability

> On Thu, 27 Apr 2006, Brian Eaton wrote:
> 
>> Please note that I ask this out of curiousity, and not in an attempt to
>> be critical. Why not give MSRC a head start of one week?

Michal Zalewski wrote:

> Because, among other things I've already mentioned, it will in no way
> affect when they're going to release a patch. Their official policy is to
> stick to a weird schedule.

Unfortunately, given Microsoft's recent behavior, Michal's right. 
Further, I too have seen the data showing much faster response times 
when Microsoft is blindsided. The only question that remains is whether 
some inherent sense of fairness on the part of the reporter dictates 
notifying the vendor first, even though it likely won't do any good.

-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ