Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Submission

From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Mon, 27 Nov 2000 22:01:25 -0800
On Mon, 27 Nov 2000 hellnbak () HUSHMAIL COM wrote:


OK, with that being said many of you are probably thinking that Georgi is
not allowed to
cooperate with Microsoft because of his job with Netscape/AOL.  To be blunt,
 this is
nothing more than a lame excuse.  Companies work with their competitors
over security
holes constantly.  In fact, I have seen advisories (the recent MS Network
Monitor ones as an
example) that contain issues worked on by two very competitive companies,
 ISS and NAI.


As a counter-example, our vulnhelp folks tried to coordinate a vuln
release recently that had to do with the locale bug in (g)libc that
affected most unix vendors, discovered by CoreSDI.  Some Linux vendors
jumped the gun.  I suspect the idea of waiting on other (competing?)
vendors to get their fix together, when someone is ready to go, is a new
thing for them.  It's been a couple months, and Sun still isn't quite
done.  I don't expect the Linux folks would have waited too long, and I
don't think we would have expected them to wait 2 months.  We'll all
probably have to go thorugh a few iterations of this type of thing before
it works itself out.

Having said that, I don't think that has anything to do with Georgi's
decision on when to release.  If you check out his web pages
(guninski.com) You'll see that he has 16 Netscape vulns in addition to the
~40 IE holes.  This probably has to do with the fact that IE just
encompases a larger set of functionality, and therefore provides a
potentially greater source of holes, and is probably just more interesting
to research.


I know a lot of you are probably thinking that this rant is pointed directly
at Georgi and I guess
it is as he is probably the largest offender.  Georgi, take this message
for what it is worth, you
are no longer doing the security industry a service, you are letting people
know that AOL/Netscape and
their big pockets can take a once respected person and obviously very intelligent
security professional
and use them to do their bidding.



Netscape doesn't need Georgi's help looking bad.  Once they stopped
acknowledging bugs in their browser and releasing fixes in a timely
manner, they clearly communicated their feelings on security.  I'm
impatient for Mozilla.  I hope that the bloated piece of software that
barely runs called Netscape 6 doesn't reflect the state of the Mozilla
project.

                                                Ryan
Previous By Date Next
Previous By Thread Next

Current thread: