Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

From: Tim <tim-security () sentinelchicken org>
Date: Wed, 18 Feb 2004 12:04:33 -0800
The first is that this IE bug is life-threatening. It's not.


(look below)


The second is that IE cost the users' money. It didn't.


IE is "part of the OS".  Therefore users did pay for it.


It's not my moral responsibility to list every single component
that's wrong if I recall the vehicle. Microsoft has, several times
now, recalled the vehicle and replaced it for free.


No, not every component.  Just the ones that could lead to catastrophic
failure.  Does the auto industry report every bug that could lead to
catastrophic failure without being forced to?  No.  Should they morally?
Yes.


Where's the problem?
This is outrageous FUD. Web browsers are not used in medical
appliances.


Oh?  Have you worked in a hospital?  I haven't, but I am willing to bet
a lot of medical records and even appliances are run on Windows.
Correct me if I am wrong.

Regardless, we aren't just talking about the most obvious industries
like the medical.  What about cars?  I believe M$ is trying to put CE or
some variant into cars now.  What about SCADA systems?  Military?

If you haven't figured it out yet, in a realtively small number of
years, every freaking device you buy that does anything useful will have
some kind of OS on it.  If our current standard of security isn't
raised... well fill in the blank. 

In any case, the comment I was originally responding to was:
"Do we expect even Sun or Apple to tell us about every buffer overflow
they fix? Hell, do we expect Linux or NetBSD to do so?"

So you are the one who broadened the scope outside of browsers.  I am
merely responding to your narrow-minded view of what a software
developer's responsibility is in situations like this.  I am not just
attacking M$.  Most software sucks.  Software developers and their
companies need to be held more accountable for their actions.

Respond if you wish, but I have made my statements and will no longer
comment on this thread.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: