Full Disclosure mailing list archives
Re: Re: Internet Explorer URL parsing vulnerability
From: Jedi/Sector One <j () pureftpd org>
Date: Wed, 10 Dec 2003 23:49:03 +0100
On Wed, Dec 10, 2003 at 09:34:04PM +0000, petard wrote:
It means balancing customer demand (the amount of money to be made) against the cost of fulfilling that demand
To be fair, do you really think that fixing all currently known, but still unfixed bugs would cost millions of dollars? Does hiring people like Lyu Die Lu costs millions of dollars? Do you seriously think that fixing the 0x01 issue requires more than 10 lines of code? And that releasing the binary patches takes months of hard work and a lot of money? Yes, it means balancing customer demand against costs, but both have to be in the same order of magnitude to be comparable. At a cost that is just like zero for a corp like Microsoft, they could release a patch for the 0x01 issue in 24h. And in return they get more trust from users, which is something they may need in the long term. But they don't care and they even announced that no new fix will be released before 2004.
So the answer is not "They simply don't want it fixed."
Internet Explorer is a special case. It just sounds as if Microsoft doesn't want to maintain the product any more since the very first version of IE 6. As if some day, Bill said "ok, let's freeze everything. Stop working on IE, just take the current state of the CVS tree and it will remain the same during 10 years". There have been no actual improvement in Internet Explorer since the first release of IE 6. No tabs, no proper PNG support while all other browsers do. Worse : support for stylesheets really looks like unfinished work. Basic features are missing, other are totally buggy. Webmasters need to waste time in order to add tons of ugly hacks to let IE render something coherent. These bugs are obvious, really nasty, discussed everywhere and dealing with them costs money to people. Years after, nothing changed. And finally, Microsoft officially announces that there will be no more IE release until Longhorn (2008 ?). Critical functionnal bugs are left as is, critical security bugs are just fixed occasionnally, and thanks to other people for finding them. Internet Explorer is obviously unmaintained software. Best regards, -- __ /*- Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Internet Explorer URL parsing vulnerability, (continued)
- RE: Re: Internet Explorer URL parsing vulnerability Karlis Zigurs (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability Valdis . Kletnieks (Dec 11)
- RE: RE: FWD: Internet Explorer URL parsing vulnerability Rainer Gerhards (Dec 10)
- RE: RE: FWD: Internet Explorer URL parsing vulnerability Rainer Gerhards (Dec 10)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 10)
- RE: RE: FWD: Internet Explorer URL parsing vulnerability Rainer Gerhards (Dec 10)
- Re: Internet Explorer URL parsing vulnerability Feher Tamas (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability John Sage (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Daniel H. Renner (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability petard (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Jedi/Sector One (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Valdis . Kletnieks (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability Dark Avenger (Dec 12)
- Re: Re: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 12)
- Re: RE:Re: RE: FWD: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 12)