Full Disclosure mailing list archives
RE: MSIE (mshtml.dll) OBJECT tag vulnerability
From: "Tim Bilbro" <trbilbro () verizon net>
Date: Thu, 27 Apr 2006 18:38:52 -0400
Why didn't I even try, you say? Past experiences of numerous
researchers
aside, consider this: Microsoft takes 3-6 months to fix critical but non-public vulnerabilities in their flagship software (some of these
flaws
must've been independently discovered by the rogues, hence putting customers at great risk, or at best taking chances). This is not a reasonable timeframe, compared to industry averages. Yet, they only
take
2-4 weeks to fix publicly disclosed bugs - thus making software safer, sooner.
Nice of you to make that risk assessment for the entire IA community. Thanks.
You're making an argument for no disclosure and no accountability...
...by saying that it sucks for infosec workers to have to do some
actual
work, rush workarounds, write IDS signatures - based not on guesses, but on useful information...
...and you're making this argument On a full disclosure mailing list.
Bravo.
I have made no such arguments. My argument is that a responsible researcher should give the vendor a chance to respond. If they don't within a reasonable amount time, publish the vulnerability and document the vendor's lack of response. Further, releasing a zero-day vulnerability without giving a vendor any chance to respond does more harm than good. That's my argument. Sorry to crash the party here, but you guys aren't going to be able release zero-day exploits without getting some flak from the folks who have to respond to them. Free speech goes both ways, you know. I'd say we're at a point of agreement on disagreeing at this point. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability, (continued)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Peter Besenbruch (Apr 28)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Chris Eagle (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Sol Invictus (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Aaron Gray (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Valdis . Kletnieks (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Aaron Gray (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Aaron Gray (Apr 28)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Tim (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Sol Invictus (Apr 28)