Dailydave mailing list archives
Re: TTW
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 16 Nov 2011 10:47:34 -0800
Hi Kristian, Thanks for the praise.
As a final note, it was highly predictable to see Microsoft and other more slowly moving browser vendors being scolded for their inability to rectify issues (even those that are known)
For what it's worth, I tried to keep vendor-bashing to a minimum; all of them are guilty of various transgressions, and while it's useful to record some of the more interesting cases, it's probably counterproductive to dwell on them or trade insults. Now, I personally think that Microsoft's handling of the vulnerability response process is inadequate, and that this inadequacy is sometimes advanced using false pretenses - but I did my best to keep this opinion outside the scope of the book :-) When it comes to rolling out new security features in MSIE, they are actually pretty great. I am actually impressed that almost all the key players now all seem to have people passionate about deploying reasonably well-designed security features (e.g. David Ross over at Microsoft, Brian Sterne over at Mozilla, and Adam Barth working on WebKit and Chrome) - and I wish we could say the same about the plugin world... It is still troubling that most of the recent improvements do very little for existing apps and prevalent application design paradigms, and only add complexity and new boundaries on top of the current browser security model; and that the approach often is "implement first, coordinate later". On the flip side, I can see the appeal of devising a successful security mechanism, versus struggling to implement something envisioned by an armchair expert. /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave