lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00b401c66ae9$8f0a9f00$6300a8c0@theodore>
Date: Fri Apr 28 18:28:41 2006
From: cseagle at redshift.com (Chris Eagle)
Subject: MSIE (mshtml.dll) OBJECT tag vulnerability

My $0.02, ignore as you see fit.

As a consumer, I prefer (arguably have the right) to know at the earliest
possible opportunity whether a product I am using is flawed.  Whether a
medication appears to cause cancer, my car is prone to exploding when rear
ended, or a piece of software is found to be exploitable.  I don't wish to
wait through some potentially lengthy process, legal or otherwise, in which
the producer of the product denies or downplays the severity of the flaw
before finally addressing the problem and making the flaw public before I
hear about it for the first time.  To pretend that you are somehow immune to
the problem while the vendor fails to disclose it is simply ridiculous.

While vendor coordination is certainly nice to have, the ONLY thing I would
like to see required in pre-patch disclosures are constructive ways to
mitigate the problem, and the impact of those mitigations.

For those that would not disclose, what gives you the right to judge whether
someone is capable of dealing or not dealing with the newly announced
vulnerability, and what makes you think that you are qualified to manage the
risk on my networks?  If you are an information security professional, then
you are paid to deal with "problem", if you are not capable of dealing with
it, then you need to rethink your profession.

Flame away,

Chris

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ