Full Disclosure mailing list archives
Re: MSIE (mshtml.dll) OBJECT tag vulnerability
From: "meta security" <metasec () gmail com>
Date: Thu, 27 Apr 2006 17:19:40 -0400
Full Disclosure is a good thing and anyone involved in the security community should be thankful for its existence! If people actually believe that the 0-days posted to this list are all 100% unique.... all i can say is wow, you're disconnected. Lets pretend for a second that this was never posted - does anyone honestly think that there isn't someone else (someone with serious malicious intent) out there working around the clock to hammer out IE exploits? If you don't then you're naive and enjoy a false sense of security! That same person with malicious intent will eventually, or worse, might have already discovered this same problem and guess what?...they're not going to tell anyone! Well they might tell others, but its certainly not going to be vendor or most of the people reading this list. At least with disclosures like Michal's the community is made aware of the problem and can be on the lookout for attacks that might otherwise go undetected. Yes, pushing the problem to the surface might cause other less skilled attackers to latch on and start exploiting the vulnerability -- But this also leads to definition updates from AV companies, or if mountains feel like moving, releasing a patch out of cycle, both are good things. What it really comes down to is awareness and that's exactly how this helps the community, it keeps everyone alert and on their toes, if that's not your cup of tea then you're in the wrong industry. Personally, I would rather know about the problem before the patch drops...maybe this is a weird concept, but i have a feeling one or two people agree with me. On 4/27/06, Tim Bilbro <trbilbro () verizon net> wrote:
Setting aside analogies, the questions remain: Does full disclosure make the IT community as whole less secure than it would otherwise would be? Is it more dangerous to have a handfull of sophisticated blackhats lurking about with an unknown exploit vs. publishing it for every wannabe hacker to use? I am confident that the answer is that fully disclosing discovered vulnerabilites without first giving the vendor a reasonable chance to address them is more harmful. There is no question that vendors, particulary Microsoft, have a history of neglect in this area, and folks have a right to be angry with them. Unfortunately, full disclosure doesn't hurt them as much as it hurts the information security community as a whole. While not patronizing the vendor because of the neglect is the most logical choice, it is an impracticality for many. I don't question the right or ethics of full disclosure. It's just pain in the neck that might otherwise be avoided or at least minimized. It's not helping. -----Original Message----- From: Larry Seltzer [mailto:larry () larryseltzer com] Sent: Wednesday, April 26, 2006 4:34 PM To: bob () coldrain net; 'Tim Bilbro' Cc: full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability There aren't people out there looking to exploit the flaws in your car in order to drive it where they want it to go. It's a lousy analogy. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of bruen () coldrain net Sent: Wednesday, April 26, 2006 4:25 PM To: Tim Bilbro Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability Hi Tim, Perhaps instead of viewing this as breaking into locked doors and look at it as consumer product information, such as problems with my automobile, it would not appear as such a big deal. I like product recalls and keeping vendors honest. Product safety has improved significantly over the past 20 years because of the openness of the flaws. I am sure that software has and will continue to benefit from full disclosure of their flaws. cheers, bob On Wed, 26 Apr 2006, Tim Bilbro wrote:You do a disservice to all IT shops by announcing these vulnerabilities before contacting the vendor. I am sure it would not generate as much web traffic to your site, but it is only fair and right to allow at least some amount of time for the vendor to respond.If you think you are helping, you are wrong. Would you go around town checking which stores are unlocked at night and then publish the list in the news before letting the shop owners know? That's pretty much what you are doing. It's just not helping. There is no proof that itis either.Tim Bilbro Information Security Specialist CISSP, MCSE trbilbro () verizon net web: www.bloglines.com/blog/Bilbro RSS: www.bloglines.com/blog/Bilbro/rss-- Bob Bruen Cold Rain Technologies http://coldrain.net +1.802.579.6288 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability, (continued)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Brian Eaton (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Peter Besenbruch (Apr 28)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Chris Eagle (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Sol Invictus (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Aaron Gray (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Valdis . Kletnieks (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Aaron Gray (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Aaron Gray (Apr 28)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Tim (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Sol Invictus (Apr 28)