Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? )

[bipin gautam <visitbipin () yahoo com>]

huh!
Reviewing all the latest IE advisories, i believe they
are in a way attacking M$. So that its coutomers are
forced to  choose another browser... due to the
security risks involved.

I will rate it as a birth of  "E" - GORILLA WAR
stratigy?   (o;   of the minorities.


 Can a company sue a person, for publishing
irresponsible sec. advisories as such? No offence. I
just wanna know your views. Afterall, the haxor is
reverse engineering the software. I don't know if M$
will ever fire a case against such ppl. in future with
a propaganda, TO PROTECT ITS USERS?

have your say?

bipin gautam
--- Berend-Jan Wever <skylined () edup tudelft nl> wrote:

> Hi all,
>
> In response to statements found at
http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html
>  "Microsoft is concerned that this new report of a
> vulnerability in
> Internet Explorer was not disclosed responsibly,
> potentially putting
> computer users at risk," the company said in the
> statement. "We believe
> the commonly accepted practice of reporting
> vulnerabilities directly to a
> vendor serves everyone's best interests, by helping
> to ensure that
> customers receive comprehensive, high-quality
> updates for security
> vulnerabilities with no exposure to malicious
> attackers while the patch
> is being developed."
>
> About "responsible disclosure":
> The origional vulnerability was found and disclosed
> by ned. As far as I
> know, ned only knew he had found something that
> crashed MSIE: a bug.
> Microsofts concerns would suggest two options:
> 1) They expect everybody who finds a bug to
> investigate the issue and act
> according to the impact the problem might have on
> security. I do not think
> this is likely to happen unless everybody is
> required to be a 1337
> ubergeek before they are allowed to use MS software.
> It's a nice goal to
> aim for, but not very realistic.
> 2) You can not talk about your software crashing,
> ever, unless it's to the
> vendor: You might have stumbled upon a vulnerability
> and if a malicous
> attacker hears about it, he might use it.
>
> About "commonly accepted practice of reporting
> vulnerabilities directly to
> a vendor":
> When did they arrest all the black-hats ?
>
> About "no exposure to malicious attackers while the
> patch is being
> developed":
> Allthough I believe in responsible disclosure of
> vulnerabilities, it DOES
> NOT prevent malicious attackers to discover and
> exploit the same
> vulnerability while a patch is being developed.
> Resonsible disclosure
> decreases the chance of somebody hacking your system
> while you are
> vulnerable, it doesn't make it zero.
>
> Anybody who understands basic bufferoverflow
> techniques will be able to
> write an exploit for this vulnerability. I did it in
> a few minutes, so how
> hard can it be ? I do not feel I disclosed anything
> new, I just saved a
> lot of people the trouble of writing it themselves.
>
> The vulnerability has been rated "extremely
> critical" since I released the
> exploit. I say it was allready "extremely critical"
> before ned disclosed
> his information, only nobody knew it was there. It
> was "extremely
> critical" when ned did, but only a few could grasp
> that. Then I explained
> it was an easy to exploit bufferoverflow, it still
> did not get much
> attention.
> Writing the exploit hasn't changed the flaw or it's
> impact, it just
> attracked the right amount of attention to the
> problem.
>
> Cheers,
> SkyLined
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html



                
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com 
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html