lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <021901c66afc$9dca6df0$0300a8c0@AMDLAPTOP>
Date: Fri Apr 28 20:55:05 2006
From: angray at beeb.net (Aaron Gray)
Subject: MSIE (mshtml.dll) OBJECT tag vulnerability

> My $0.02, ignore as you see fit.
>
> As a consumer, I prefer (arguably have the right) to know at the earliest
> possible opportunity whether a product I am using is flawed.  Whether a
> medication appears to cause cancer, my car is prone to exploding when rear
> ended, or a piece of software is found to be exploitable.  I don't wish to
> wait through some potentially lengthy process, legal or otherwise, in 
> which
> the producer of the product denies or downplays the severity of the flaw
> before finally addressing the problem and making the flaw public before I
> hear about it for the first time.  To pretend that you are somehow immune 
> to
> the problem while the vendor fails to disclose it is simply ridiculous.
>
> While vendor coordination is certainly nice to have, the ONLY thing I 
> would
> like to see required in pre-patch disclosures are constructive ways to
> mitigate the problem, and the impact of those mitigations.
>
> For those that would not disclose, what gives you the right to judge 
> whether
> someone is capable of dealing or not dealing with the newly announced
> vulnerability, and what makes you think that you are qualified to manage 
> the
> risk on my networks?  If you are an information security professional, 
> then
> you are paid to deal with "problem", if you are not capable of dealing 
> with
> it, then you need to rethink your profession.
>
> Flame away,

The only thing that I would add that ehat in an idea world firstly on 
finding a vulnerability that an advisory is made to the product producer 
then secondly to the list with an IDS fingerprint SNORT. Then not until a 
reasonable time to fix the vulnerability the proof of concept exploit is 
released (This gives time to hone the exploit as well :)

My 0.02 cents added,

Aaron

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ