RE: Microsoft letdown day

["Maynor, David (ISS Atlanta)" <dmaynor () iss net>]

You know you get more press if you claim something is remote. It's a
disturbing trend and no end is in site.

-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave Aitel
Sent: Wednesday, January 12, 2005 11:01 AM
To: dailydave
Subject: [Dailydave] Microsoft letdown day

I'm both happy and sad when there are no good Microsoft bugs. On one 
hand it's good that none of your bugs got blown (phew!), and on the 
other hand you don't have anything fun to do that day."Remote" bugs in 
IE just don't have that spark since five of them come out a week.

One thing I've noticed is that it's now endemic that everyone agrees 
with DJB that client-side bugs like the ANI overflow are "remote bugs". 
This is crazy! I wonder if it's skewing any new "research" on "windows 
of vulnerability" or "The security of Linux versus Microsoft Windows". 
There are three simple classifications:
Local
Remote
Client-Side

An IE bug is not a remote bug. It's a client-side bug. I like how they 
claim there's "remote code execution." Is it making a DCOM call to a 
remote machine? :>

If the industry can't even get this sort of thing right, how do we 
expect it to do something hard, like protect my Sidekick from getting
owned?

-dave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave