Full Disclosure mailing list archives
Re: MSIE (mshtml.dll) OBJECT tag vulnerability
From: Tim <tim-security () sentinelchicken org>
Date: Thu, 27 Apr 2006 18:37:58 -0400
Full Disclosure is a good thing and anyone involved in the security community should be thankful for its existence! If people actually believe that the 0-days posted to this list are all 100% unique.... all i can say is wow, you're disconnected.
Ditto. Case study: At least twice in the last year, myself and coworkers have found vulnerabilities in widely-deployed software while performing pentests, only to find someone else posted the exact same flaws before we had a chance to. No, we didn't leak these holes, they were found independently prior to us finding them. I imagine this happens a lot. Notifying a vendor prior to public disclosure probably helps the public more than it hurts, at least initially. But if one waits too long on the vendor, someone else *will* find the hole and may decide to use it for various nasties. Knowing what that break-even point is in delaying disclosure involves knowing many variables that can only be estimated. Therefore the amount you "should" wait on a vendor to disclose is very subjective even if we all agree we should be defending the public (which on this list, is not the case). So, why don't we stop arguing about it and just deal with the information the best we can? tim PS- For those of you complaining about MZ, how long will you sit in Microsoft's frying pan[1]? Why not get out so you don't have to worry about it? 1. http://www.clichesite.com/content.asp?which=tip+2858 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability, (continued)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Brian Eaton (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Peter Besenbruch (Apr 28)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Chris Eagle (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Sol Invictus (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Aaron Gray (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Valdis . Kletnieks (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Aaron Gray (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Aaron Gray (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Tim (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Sol Invictus (Apr 28)