Hello, >don't start a disclosure - non disclosure thread again and again >and again please...
This is about responsible and non-responsible disclosure, which is at the heart of security research. As long as you have no proof that the bug is being maliciously exploited in the wild, you need to give time for the sw vendor to react and patch. Considering the size of Microsoft (an organization of 50 FIFTY thousand people), five workdays for an in-depth response and another two weeks for a patch is the minimum lag one can expect even in the most critical cases. As you know, IE is available natively localized in more than 20 languages and each of them is a separate software, not just a stub like in the Mozilla. MS guys need time to produce and smoke-test those 20-something hotfix files for a single exploit to release them at once. They cannot prioritize by big or small market languages and indeed that would be unethical. When they are ready, they will credit you with the discovery on the MS Security Bulletin pages along with all the hotfixes download. Of course, if the vendor just doesn't care to reply or the patch is delayed indefinitely or you learn that the exploit is already actively being used for evil purposes, you should disclose the problem. However, one could then expect you to offer a practical solution or at least workaround for the bug? I see nothing like that here. Just criticizing is not a positive thing. What Zap the Dingbat has done will not earn him a bust in the hall of fame for security research. Sincerely: Tamas Feher. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
