Full Disclosure mailing list archives
Re: Microsoft Cries Wolf ( again )
From: Thilo Schulz <arny () ats s bawue de>
Date: Tue, 1 Jul 2003 14:12:09 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 01 July 2003 00:58, mattmurphy () kc rr com wrote:
The ZDNet article hit the point right on the head. It is irresponsible to leave the vendor uninformed before going public. Doing that helps absolutely nobody. If you're going to take the interpretation of full disclosure literally, notification of the vendor and the public is simultaneous. There will be radicals who say that notifying none is what should have happened here -- and even that policy is better than blindly rifling off details of a remotely exploitable buffer overflow to every kiddie in the world without a workaround of any kind. The poorly-structured original post didn't even make the faulty code clear.
While I agree, that you should at least provide some kind of workaround, I strongly disagree with criminalizing anyone who stands for full disclosure. I, as user and administrator, personally would rather have someone disclose a vulnerability prematurely with a workaround that I can use than someone being quiet while piling up a huge dDoS host collection / passing his t00lz around in the blackhat community. Not everyone is as good a person as microsoft wants to have them - and frankly - if I discovered a bug I would not do "cooperation" that stretches endlessly over weeks and eventually after half a year the hole is patched. In fact they should be grateful for everyone who does not hold back information about bugs in their software. Quote: "A bug like this could be triggered via a number of means...through e-mail, simply browsing a web page, perhaps browsing a network share," he wrote in an e-mail to CNET News.com. HTML and all the more Java Script simply _does_not_have_to_do_anything_at_all_with_emails_ I do not understand why things like support for this can be turned on by default. The result of this lax security policy could be seen in recent worms. And this is what really makes me sick: Trustworthy Computing Campain, but when it really comes down to the dirty work of patching they moan about everyone who does not follow their strict guidelines on reporting vulnerabilities. - Thilo Schulz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/AXqeZx4hBtWQhl4RAp09AJ9oHsRK4pkOC8oX+JChkZ+7Ktrf+ACgiXgT 5UIvmVbSoXVW/l0hNrETJ1M= =JlEK -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Microsoft Cries Wolf ( again ) Peter van den Heuvel (Jul 01)
- <Possible follow-ups>
- Re: Microsoft Cries Wolf ( again ) Thilo Schulz (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Andrew Griffiths (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Georgi Guninski (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Schmehl, Paul L (Jul 01)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
- Re: Microsoft Cries Wolf ( again ) ATD (Jul 01)
- Re: Microsoft Cries Wolf ( again ) madsaxon (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Richard M. Smith (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Mike Fratto (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Cesar (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Brett Hutley (Jul 02)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)