Full Disclosure mailing list archives
Re: MSIE (mshtml.dll) OBJECT tag vulnerability
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Wed, 26 Apr 2006 22:33:46 +0200 (CEST)
On Wed, 26 Apr 2006, Tim Bilbro wrote:
You do a disservice to all IT shops by announcing these vulnerabilities before contacting the vendor.
How were you impacted? What were your damages? The only loss that could possibly occur to you or your company was the time you wasted to write this rant, and the subsequent damage to your reputation if you turn this into a fully-fledged and entirely counterproductive flamewar. In case you didn't notice, I *do* work with vendors; not because I believe that a particular disclosure policy is morally superior, but because I chose to. Microsoft is a rare exception to this rule, for a couple of reasons. Why, you ask? It is my unsubstantiated opinion that they consistently, unreasonably delay disclosure of problems; that they don't participate in the vulnerability research community in any way, while trying to impose artbitrary standards and punish certain researchers (often employing borderline extortion practices); and that they routinely communicate false pretenses when dealing with the media regarding known security issues. I can't make a difference, but I'm one of the few folks who can still afford this small degree of civil disobedience.
I am sure it would not generate as much web traffic to your site
Oh, tragic. Generating traffic to my ad-free webpage is precisely why I spend hours researching problems. Now you see why I couldn't handle it any other way.
Would you go around town checking which stores are unlocked at night and then publish the list in the news before letting the shop owners know?
I see that you took the "bad analogy 101" course in the logical fallacy class? /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability, (continued)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Sol Invictus (Apr 24)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Dave "No, not that one" Korn (Apr 25)
- Re: Re: MSIE (mshtml.dll) OBJECT tag vulnerability Valdis . Kletnieks (Apr 25)
- Re: Re: MSIE (mshtml.dll) OBJECT tag vulnerability Raoul Nakhmanson-Kulish (Apr 25)
- Re: Re: MSIE (mshtml.dll) OBJECT tag vulnerability Valdis . Kletnieks (Apr 25)
- Re: Re: MSIE (mshtml.dll) OBJECT tag vulnerability Raoul Nakhmanson-Kulish (en) (Apr 25)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Sol Invictus (Apr 24)
- Re: Re: MSIE (mshtml.dll) OBJECT tag vulnerability Javor Ninov (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability bruen (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 26)
- Re[2]: MSIE (mshtml.dll) OBJECT tag vulnerability Thierry Zoller (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Morning Wood (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Randal T. Rioux (Apr 26)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Javor Ninov (Apr 27)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 26)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Pedro Hugo (Apr 27)