Re: disclosure vs. non-disclosure and M$ On Wed, Dec 10, 2003 at 05:44:35AM -0800, S G Masood wrote: > From: S G Masood <[EMAIL PROTECTED]> > Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing > vulnerability > To: Feher Tamas <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Date: Wed, 10 Dec 2003 05:44:35 -0800 (PST) > > > --- Feher Tamas <[EMAIL PROTECTED]> wrote: > > Hello, > > > > >don't start a disclosure - non disclosure thread > > again and again > > and again please... > > > > This is about responsible and non-responsible > > disclosure, which is at > > the heart of security research. > > > > As long as you have no proof that the bug is being > > maliciously exploited > > in the wild, you need to give time for the sw vendor > > to react and patch. > > If you are talking about a generic ethic, I sincerely > agree. Slight deviations on this concept might apply > depending on the vendor's track record and the > vulnerability (I am not talking about MS alone). > > However, unfortunately, if you are familiar with the > pattern in which MS handled the previous unpatched IE > vulns, this looks like one of those IE vulns. that MS > *WONT* patch.
With the virtually unlimited resources (financially and staff-wise) available to Micro$oft, why has this sort of vulnerability been left undiscovered and unpatched by Micro$oft itself? Put a hundred people on the task of identifying any URL oddities that IE currently accepts, and patch, patch, patch. It would take less than a week to fix *all* of this sort of crap. The fact that someone out in the community at large (once again) discovers a vuln and publishes it is just an ongoing symptom of the fundamental problem: Micro$oft is involved with "Trustworthy Computing" only so much as it plays well in a press release, and freely accepts the status quo only so long as it doesn't negatively affect the bottom line. - John -- "Most people don't type their own logfiles; but, what do I care?" - John Sage: InfoSec Groupie - ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus- - ATTENTION: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
