| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <001201c66d50$3ecbe940$16040a0a@Laptop> Date: Mon May 1 20:25:11 2006 From: trbilbro at verizon.net (Tim Bilbro) Subject: MSIE (mshtml.dll) OBJECT tag vulnerability Bkfsec wrote: ... >"What you do usually see with full disclosure (likewise with patching), >which is ironically dragged out as an argument against full disclosure, >is that when a flaw is disclosed, you do see script kiddies coming out >of the woodwork making loud noises with automated bots mass-owning >systems. Is this the fault of full disclosure? Nope. It's >inevitable. " I don't think it is inevitable. Think about browser DoS vulnerabilties. An stealth blackhat wouldn't bother with that type of exploit. It's brute force, messy, doesn't get you root and it's trackable to some degree. But, lesser hackers will immediately adopt exploits that just crash the browser for example. So, by publishing that type of exploit and labeling it crtical you create a new requirement for mitigation that wouldn't otherwise be there. Some have suggested a 'Vulnerability Escrow' A third party that tracks and holds vulnerability discoveries and works with the vendor. I think that is an idea worth exploring. Tim iainsidethebeltway.typepad.org
Powered by blists - more mailing lists