Full Disclosure mailing list archives
Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
From: Jorrit Kronjee <full-disclosure () nospam wafel org>
Date: Thu, 19 Feb 2004 09:09:30 +0100
Tim wrote:
Oh, give me a break. Some developer went, "Oh, hey, I'm not bounds checking there. Okay, fix that," and the changes filtered out into the release of IE. You don't release "security patches" except in response to publication of a serious vulnerability, and especially in response to a problem that's systemic. This is *a* buffer overflow. Do we expect even Sun or Apple to tell us about every buffer overflow they fix? Hell, do we expect Linux or NetBSD to do so? C'mon, people. If you're going to be quoted for publication, try to make statements reasonable to the actual importance of the issues at hand.Say you are an engineer at a large car manufacturing company. Suppose, 6 months after the 2004 model of your sedan goes out the door, you discover, as an engineer who helped build it, that the car's frame is flawed. Suppose that it is so flawed that after 3 years, it may break due to normal use, potentially causing bad crashes. Is it your moral obligation to notify customers? Sure you are going to fix it in next year's model, that is a given. But what about all those people with a potentially deadly model? Obviously, this is not the auto industry. Some will argue that we are not talking about life-and-death situations here. But the reality is, we are. Software bugs can cause death, and have before, both on the small scale, and the large scale. (can you say "power outage"?) As the world moves forward with "progress", it will become ever more important. It is about time that IT professionals realize this and start expecting quality out of the products they buy. Hope that puts it into perspective for some people. tim
I think we've heard the comparison with car manufacturers a dozen times, but i think this one is flawed. A buffer overflow is not triggered unless a malicious person does so. So a more fitting comparison would be if the brakes of your car were easily accessible to malicious persons, therefor causing a life-threatening situation.
Hope that puts it into perspective for you, Jorrit _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution, (continued)
- RE: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Paul Schmehl (Feb 18)
- Re: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution morning_wood (Feb 18)
- Re: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Paul Schmehl (Feb 18)
- RE: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Byron Copeland (Feb 18)
- Re: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution morning_wood (Feb 18)
- RE: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Shawn K. Hall (RA/Security) (Feb 18)
- RE: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution CHS (Feb 18)
- RE: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Byron Copeland (Feb 18)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution madsaxon (Feb 18)
- Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Brent J. Nordquist (Feb 18)
- Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Jorrit Kronjee (Feb 19)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Cael Abal (Feb 18)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Joshua Levitsky (Feb 18)
- os x mass mailers petard (Feb 18)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Cael Abal (Feb 15)