[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <021901c66afc$9dca6df0$0300a8c0@AMDLAPTOP>
Date: Fri Apr 28 20:55:05 2006
From: angray at beeb.net (Aaron Gray)
Subject: MSIE (mshtml.dll) OBJECT tag vulnerability
> My $0.02, ignore as you see fit.
>
> As a consumer, I prefer (arguably have the right) to know at the earliest
> possible opportunity whether a product I am using is flawed. Whether a
> medication appears to cause cancer, my car is prone to exploding when rear
> ended, or a piece of software is found to be exploitable. I don't wish to
> wait through some potentially lengthy process, legal or otherwise, in
> which
> the producer of the product denies or downplays the severity of the flaw
> before finally addressing the problem and making the flaw public before I
> hear about it for the first time. To pretend that you are somehow immune
> to
> the problem while the vendor fails to disclose it is simply ridiculous.
>
> While vendor coordination is certainly nice to have, the ONLY thing I
> would
> like to see required in pre-patch disclosures are constructive ways to
> mitigate the problem, and the impact of those mitigations.
>
> For those that would not disclose, what gives you the right to judge
> whether
> someone is capable of dealing or not dealing with the newly announced
> vulnerability, and what makes you think that you are qualified to manage
> the
> risk on my networks? If you are an information security professional,
> then
> you are paid to deal with "problem", if you are not capable of dealing
> with
> it, then you need to rethink your profession.
>
> Flame away,
The only thing that I would add that ehat in an idea world firstly on
finding a vulnerability that an advisory is made to the product producer
then secondly to the list with an IDS fingerprint SNORT. Then not until a
reasonable time to fix the vulnerability the proof of concept exploit is
released (This gives time to hone the exploit as well :)
My 0.02 cents added,
Aaron
Powered by blists - more mailing lists