Full Disclosure mailing list archives
Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption
From: Paul Tinsley <pdt () jackhammer org>
Date: Wed, 11 Feb 2004 09:39:44 -0600
Geo. wrote:
If we skip over the whole legitimate companies doing very illegal things point of view and skip right to you jumping to the conclusion that I don't care about speedy resolution of problems. Resolution of vulnerabilities is not the same thing as technical detail _disclosure_ of details about the vulnerability. I was very vocal about not agreeing with Microsoft moving to a month long patch cycle. I want fixes as they are available so I can get to work fixing the holes as soon as possible. I still believe there should be bulletins posted with details that there is a hole and a fix available. But full detail bulletins should lag the initial release of the patch by some number of weeks/months.Sure am glad you put that notice in there, here I was getting all hotand bothered that you were giving people a road map to the exploit. Here I was wondering why a security vendor would be increasing the risk model by releasing details which will save the "bad guys" weeks of research on the day of the patch release, giving the "good guys" even less time to regression test this patch in their environment and mitigate any harmful side effects.<< Why is that such a problem when you don't seem to care that both eeye and Microsoft have had full remote anonymous access to all your Windows systems for the past 5 months? Kinda handy if a vendor could just walk into your billing system to see how much you bill each month so they could figure out how much to charge you...
As far as Eeye having a stockpile of Microsoft vulnerabilities and I would assume lab code that can exersize them, doesn't bother me as much as some cred whore leaking it to all his buds just to gain more street cred. At least that was my impression, before Eeye started doing GOBBLES style bulletins with rap excerpts in them...
Thanks, Paul Tinsley
Geo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Marc Maiffret (Feb 10)
- Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Paul Tinsley (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Geo. (Feb 11)
- Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Paul Tinsley (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Geo. (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Bill Royds (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Geo. (Feb 11)
- Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Paul Tinsley (Feb 11)
- <Possible follow-ups>
- Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption macmanus (Feb 11)
- Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption bart2k (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption nick danger (Feb 11)