Full Disclosure mailing list archives
Re: Internet Explorer URL parsing vulnerability
From: Feher Tamas <etomcat () freemail hu>
Date: Wed, 10 Dec 2003 13:45:15 +0100 (CET)
Hello,
don't start a disclosure - non disclosure thread again and again and again please...
This is about responsible and non-responsible disclosure, which is at the heart of security research. As long as you have no proof that the bug is being maliciously exploited in the wild, you need to give time for the sw vendor to react and patch. Considering the size of Microsoft (an organization of 50 FIFTY thousand people), five workdays for an in-depth response and another two weeks for a patch is the minimum lag one can expect even in the most critical cases. As you know, IE is available natively localized in more than 20 languages and each of them is a separate software, not just a stub like in the Mozilla. MS guys need time to produce and smoke-test those 20-something hotfix files for a single exploit to release them at once. They cannot prioritize by big or small market languages and indeed that would be unethical. When they are ready, they will credit you with the discovery on the MS Security Bulletin pages along with all the hotfixes download. Of course, if the vendor just doesn't care to reply or the patch is delayed indefinitely or you learn that the exploit is already actively being used for evil purposes, you should disclose the problem. However, one could then expect you to offer a practical solution or at least workaround for the bug? I see nothing like that here. Just criticizing is not a positive thing. What Zap the Dingbat has done will not earn him a bust in the hall of fame for security research. Sincerely: Tamas Feher. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Internet Explorer URL parsing vulnerability, (continued)
- RE: Re: Internet Explorer URL parsing vulnerability Rui Pereira (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Exibar (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Gregory A. Gilliss (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Michael Gale (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Kristian Hermansen (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerability Karlis Zigurs (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability Valdis . Kletnieks (Dec 11)
- RE: RE: FWD: Internet Explorer URL parsing vulnerability Rainer Gerhards (Dec 10)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability John Sage (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Daniel H. Renner (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability petard (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Jedi/Sector One (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Valdis . Kletnieks (Dec 10)