Full Disclosure mailing list archives
RE: MSIE (mshtml.dll) OBJECT tag vulnerability
From: bruen () coldrain net
Date: Wed, 26 Apr 2006 18:03:56 -0400 (EDT)
Hi Larry, Take the Miller Analogy Test (MAT) and let me know how you make out.The analogy was as a consumer paying for a product and having the flaws be public, for public safety. The products improve as the flaws are discovered, publicized and corrected. The government has departments, like the Consumer Product Safety folks, the Federal Drug Administration, the Federal Transportation Safety Board and others to do just that. It is a good analogy if you understand it.
The automobile was merely one example. Other examples might be medicines, locks, airplanes, buildings, guns, flashlights, baby foods, chips, clothing, fire extinguishers, cell phones, highways, bridges, kitchen appliances, ski lifts, bicycles, tractors, surgical procedures, boats and many more in a very long list.
Actually, flaws in the locks in my car, plus kill switches, car alarms, etc. have been improved just so other people can not (at least not easily) steal my car (exploiting flaws) and then drive it where they want to go.
It's a good analogy. Software should not get a free pass. cheers, bob On Wed, 26 Apr 2006, Larry Seltzer wrote:
There aren't people out there looking to exploit the flaws in your car in order to drive it where they want it to go. It's a lousy analogy. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of bruen () coldrain net Sent: Wednesday, April 26, 2006 4:25 PM To: Tim Bilbro Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability Hi Tim, Perhaps instead of viewing this as breaking into locked doors and look at it as consumer product information, such as problems with my automobile, it would not appear as such a big deal. I like product recalls and keeping vendors honest. Product safety has improved significantly over the past 20 years because of the openness of the flaws. I am sure that software has and will continue to benefit from full disclosure of their flaws. cheers, bob On Wed, 26 Apr 2006, Tim Bilbro wrote:You do a disservice to all IT shops by announcing these vulnerabilities before contacting the vendor. I am sure it would not generate as much web traffic to your site, but it is only fair and right to allow at least some amount of time for the vendor to respond. If you think you are helping, you are wrong. Would you go around town checking which stores are unlocked at night and then publish the list in the news before letting the shop owners know? That's pretty much what you are doing. It's just not helping. There is no proof that it iseither.Tim Bilbro Information Security Specialist CISSP, MCSE trbilbro () verizon net web: www.bloglines.com/blog/Bilbro RSS: www.bloglines.com/blog/Bilbro/rss-- Bob Bruen Cold Rain Technologies http://coldrain.net
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: MSIE (mshtml.dll) OBJECT tag vulnerability, (continued)
- Re: Re: MSIE (mshtml.dll) OBJECT tag vulnerability Javor Ninov (Apr 26)
- Re: Re: MSIE (mshtml.dll) OBJECT tag vulnerability 0x80 (Apr 26)
- MSIE (mshtml.dll) OBJECT tag vulnerability Tim Bilbro (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability bruen (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 26)
- Re[2]: MSIE (mshtml.dll) OBJECT tag vulnerability Thierry Zoller (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Morning Wood (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Randal T. Rioux (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Javor Ninov (Apr 27)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability bruen (Apr 26)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 26)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 26)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 27)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Pedro Hugo (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability str0ke (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability poo (Apr 27)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Pedro Hugo (Apr 27)
- Re[2]: MSIE (mshtml.dll) OBJECT tag vulnerability Thierry Zoller (Apr 27)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Tim Bilbro (Apr 27)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Brian Eaton (Apr 27)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 27)