Re: TTW

[Michal Zalewski <lcamtuf () coredump cx>]

Hi Kristian,

Thanks for the praise.

> As a final note, it was highly predictable to see Microsoft and other
> more slowly moving browser vendors being scolded for their inability
> to rectify issues (even those that are known)

For what it's worth, I tried to keep vendor-bashing to a minimum; all
of them are guilty of various transgressions, and while it's useful to
record some of the more interesting cases, it's probably
counterproductive to dwell on them or trade insults.

Now, I personally think that Microsoft's handling of the vulnerability
response process is inadequate, and that this inadequacy is sometimes
advanced using false pretenses - but I did my best to keep this
opinion outside the scope of the book :-) When it comes to rolling out
new security features in MSIE, they are actually pretty great.

I am actually impressed that almost all the key players now all seem
to have people passionate about deploying reasonably well-designed
security features (e.g. David Ross over at Microsoft, Brian Sterne
over at Mozilla, and Adam Barth working on WebKit and Chrome) - and I
wish we could say the same about the plugin world...

It is still troubling that most of the recent improvements do very
little for existing apps and prevalent application design paradigms,
and only add complexity and new boundaries on top of the current
browser security model; and that the approach often is "implement
first, coordinate later". On the flip side, I can see the appeal of
devising a successful security mechanism, versus struggling to
implement something envisioned by an armchair expert.

/mz
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave