Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
From: Thilo Schulz (arny_at_ats.s.bawue.de)
Date: 07/01/03
- Previous message: iDEFENSE Labs: "[Full-Disclosure] iDEFENSE Security Advisory 07.01.03: Caché Insecure Installation File and Directory Permissions"
- In reply to: mattmurphy_at_kc.rr.com: "RE: [Full-Disclosure] Microsoft Cries Wolf ( again )"
- Next in thread: Andrew Griffiths: "Re: [Full-Disclosure] Microsoft Cries Wolf ( again )"
- Reply: Andrew Griffiths: "Re: [Full-Disclosure] Microsoft Cries Wolf ( again )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Tue, 1 Jul 2003 14:12:09 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 01 July 2003 00:58, mattmurphy@kc.rr.com wrote:
> The ZDNet article hit the point right on the head. It is irresponsible to
> leave the vendor uninformed before going public. Doing that helps
> absolutely nobody. If you're going to take the interpretation of full
> disclosure literally, notification of the vendor and the public is
> simultaneous. There will be radicals who say that notifying none is what
> should have happened here -- and even that policy is better than blindly
> rifling off details of a remotely exploitable buffer overflow to every
> kiddie in the world without a workaround of any kind. The
> poorly-structured original post didn't even make the faulty code clear.
While I agree, that you should at least provide some kind of workaround, I
strongly disagree with criminalizing anyone who stands for full disclosure.
I, as user and administrator, personally would rather have someone disclose a
vulnerability prematurely with a workaround that I can use than someone being
quiet while piling up a huge dDoS host collection / passing his t00lz around
in the blackhat community. Not everyone is as good a person as microsoft
wants to have them - and frankly - if I discovered a bug I would not do
"cooperation" that stretches endlessly over weeks and eventually after half a
year the hole is patched.
In fact they should be grateful for everyone who does not hold back
information about bugs in their software.
Quote:
"A bug like this could be triggered via a number of means...through e-mail,
simply browsing a web page, perhaps browsing a network share," he wrote in an
e-mail to CNET News.com.
HTML and all the more Java Script simply
_does_not_have_to_do_anything_at_all_with_emails_
I do not understand why things like support for this can be turned on by
default. The result of this lax security policy could be seen in recent
worms. And this is what really makes me sick: Trustworthy Computing Campain,
but when it really comes down to the dirty work of patching they moan about
everyone who does not follow their strict guidelines on reporting
vulnerabilities.
- Thilo Schulz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/AXqeZx4hBtWQhl4RAp09AJ9oHsRK4pkOC8oX+JChkZ+7Ktrf+ACgiXgT
5UIvmVbSoXVW/l0hNrETJ1M=
=JlEK
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: iDEFENSE Labs: "[Full-Disclosure] iDEFENSE Security Advisory 07.01.03: Caché Insecure Installation File and Directory Permissions"
- In reply to: mattmurphy_at_kc.rr.com: "RE: [Full-Disclosure] Microsoft Cries Wolf ( again )"
- Next in thread: Andrew Griffiths: "Re: [Full-Disclosure] Microsoft Cries Wolf ( again )"
- Reply: Andrew Griffiths: "Re: [Full-Disclosure] Microsoft Cries Wolf ( again )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
