Full Disclosure mailing list archives
Re: Re: Internet Explorer URL parsing vulnerability
From: John Sage <jsage () finchhaven com>
Date: Wed, 10 Dec 2003 08:54:38 -0800
Re: disclosure vs. non-disclosure and M$ On Wed, Dec 10, 2003 at 05:44:35AM -0800, S G Masood wrote:
From: S G Masood <sgmasood () yahoo com> Subject: Re: [Full-disclosure] Re: Internet Explorer URL parsing vulnerability To: Feher Tamas <etomcat () freemail hu>, full-disclosure () lists netsys com Date: Wed, 10 Dec 2003 05:44:35 -0800 (PST) --- Feher Tamas <etomcat () freemail hu> wrote:Hello,don't start a disclosure - non disclosure threadagain and again and again please... This is about responsible and non-responsible disclosure, which is at the heart of security research. As long as you have no proof that the bug is being maliciously exploited in the wild, you need to give time for the sw vendor to react and patch.If you are talking about a generic ethic, I sincerely agree. Slight deviations on this concept might apply depending on the vendor's track record and the vulnerability (I am not talking about MS alone). However, unfortunately, if you are familiar with the pattern in which MS handled the previous unpatched IE vulns, this looks like one of those IE vulns. that MS *WONT* patch.
With the virtually unlimited resources (financially and staff-wise) available to Micro$oft, why has this sort of vulnerability been left undiscovered and unpatched by Micro$oft itself? Put a hundred people on the task of identifying any URL oddities that IE currently accepts, and patch, patch, patch. It would take less than a week to fix *all* of this sort of crap. The fact that someone out in the community at large (once again) discovers a vuln and publishes it is just an ongoing symptom of the fundamental problem: Micro$oft is involved with "Trustworthy Computing" only so much as it plays well in a press release, and freely accepts the status quo only so long as it doesn't negatively affect the bottom line. - John -- "Most people don't type their own logfiles; but, what do I care?" - John Sage: InfoSec Groupie - ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus- - ATTENTION: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Internet Explorer URL parsing vulnerability, (continued)
- Re: Re: Internet Explorer URL parsing vulnerability Gregory A. Gilliss (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Michael Gale (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Kristian Hermansen (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerability Karlis Zigurs (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability Valdis . Kletnieks (Dec 11)
- RE: RE: FWD: Internet Explorer URL parsing vulnerability Rainer Gerhards (Dec 10)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability John Sage (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Daniel H. Renner (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability petard (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Jedi/Sector One (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Valdis . Kletnieks (Dec 10)
- Re: RE:Re: RE: FWD: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 10)