Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability

From: John Sage (jsage_at_finchhaven.com)
Date: 12/10/03

  • Next message: Cisco Systems Product Security Incident Response Team: "[Full-Disclosure] Cisco Security Advisory: Unity Vulnerabilities on IBM-based Servers" 
    To: full-disclosure@lists.netsys.com
Date: Wed, 10 Dec 2003 08:54:38 -0800

    Re: disclosure vs. non-disclosure and M$

    On Wed, Dec 10, 2003 at 05:44:35AM -0800, S G Masood wrote:
    > From: S G Masood <sgmasood@yahoo.com>
    > Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing
    > vulnerability
    > To: Feher Tamas <etomcat@freemail.hu>, full-disclosure@lists.netsys.com
    > Date: Wed, 10 Dec 2003 05:44:35 -0800 (PST)
    >
    >
    > --- Feher Tamas <etomcat@freemail.hu> wrote:
    > > Hello,
    > >
    > > >don't start a disclosure - non disclosure thread
    > > again and again
    > > and again please...
    > >
    > > This is about responsible and non-responsible
    > > disclosure, which is at
    > > the heart of security research.
    > >
    > > As long as you have no proof that the bug is being
    > > maliciously exploited
    > > in the wild, you need to give time for the sw vendor
    > > to react and patch.
    >
    > If you are talking about a generic ethic, I sincerely
    > agree. Slight deviations on this concept might apply
    > depending on the vendor's track record and the
    > vulnerability (I am not talking about MS alone).
    >
    > However, unfortunately, if you are familiar with the
    > pattern in which MS handled the previous unpatched IE
    > vulns, this looks like one of those IE vulns. that MS
    > *WONT* patch.

    With the virtually unlimited resources (financially and staff-wise)
    available to Micro$oft, why has this sort of vulnerability been left
    undiscovered and unpatched by Micro$oft itself?

    Put a hundred people on the task of identifying any URL oddities that
    IE currently accepts, and patch, patch, patch.

    It would take less than a week to fix *all* of this sort of crap.

    The fact that someone out in the community at large (once again)
    discovers a vuln and publishes it is just an ongoing symptom of the
    fundamental problem:

    Micro$oft is involved with "Trustworthy Computing" only so much as it
    plays well in a press release, and freely accepts the status quo only
    so long as it doesn't negatively affect the bottom line.

    - John 

    -- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Cisco Systems Product Security Incident Response Team: "[Full-Disclosure] Cisco Security Advisory: Unity Vulnerabilities on IBM-based Servers"

    Relevant Pages