Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer

From: "Robert Collins" <robert.collins () itdomain com au>
Date: Fri, 23 Nov 2001 12:49:59 +1100
----- Original Message -----
From: "Mariusz Mazur" <mariusz () isn pl>

Ok... So we know that there is a bug... It's a critical one, ppl can
"turn it off" by editing something in the registry and Microsoft is
working hard to fix it. Oh... and we know that for the next 60 days some
people can cause some damage to me and I have no way to protect myself.


Welcome to the world of partial disclosure.


Is this just me or maybe more people think that releasing this
"advisory" (though this should be called "intimidator") was completely
irresponsible and plain stupid?


Actually, I think that non-full disclosure is irresponsible and plain
stupid. Of all the points on *both sides* of the argument, the one that I
think is most important, is that without full disclosure or an equivalent
audit process, there is no pressure other than market share and perception
for software vendors to provide enough data for me to protect myself *OR* to
validate that the software vendor is doing their job and protecting me.

And this is a near perfect example of this: Enough data for me to protect
myself - the registry file to import - will likely provide enough detail for
a cracker to create an exploit.

-Rob
Previous By Date Next
Previous By Thread Next

Current thread: