Re: Zero-day IE exploit...
From: karl levinson, mvp (levinson_k_at_despammed.com)
Date: 11/24/05
- Next message: Roger Wilco: "Re: Running program files on XP with non-executable extension?"
- Previous message: Imhotep: "Re: Zero-day IE exploit..."
- In reply to: Imhotep: "Re: Zero-day IE exploit..."
- Next in thread: Alun Jones: "Re: Zero-day IE exploit..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Nov 2005 21:43:44 -0500
"Imhotep" <imhotep@nospam.com> wrote in message
news:Y7ednZp1affQjxjenZ2dnUVZ_tSdnZ2d@adelphia.com...
>> skills to cause problems, but when you think of the total disregard of
>> the EULA committed by these people, and with microsofts policy of being
>> heavy handed with legal pursuits, its little wonder that there are few
>> who want to work with them to reproduce the failures, its often easier
>> to release the flaw and then merge back into the crowd, but with a smug
>> grin of satisfaction, and a possible slap on the back from other
>> exploiters.
> Every good comments. Microsoft has in many ways caused the current
> situation...
Oh come now. If a vuln finder was really concerned about being sued,
finding and releasing a vuln without contacting Microsoft increases rather
than decreases your likelihood of being hassled.
The vuln finders that ARE worried about being hassled typically stop finding
and/or releasing vulns publicly, as RFP and others did. They typically do
NOT release them direct to the public as this vuln finder did, because that
doesn't really get rid of the risk of being hassled. None of this really
explains why the vuln was released as a DoS in May and took until November
before anyone admitted to discovering how to use it to execute code
remotely.
While Microsoft has occasionally tried to hassle a few vuln finders for this
reason or that, other vendors like Cisco and Oracle are much worse than
Microsoft, in that they actually hassle vuln finders that are working
responsibly with them.
Anyways, if it's true as you suggest that this vuln finder did not release
details about the vuln to Microsoft, then it's absurd to fault Microsoft for
not independently figuring out the vulnerability.
- Next message: Roger Wilco: "Re: Running program files on XP with non-executable extension?"
- Previous message: Imhotep: "Re: Zero-day IE exploit..."
- In reply to: Imhotep: "Re: Zero-day IE exploit..."
- Next in thread: Alun Jones: "Re: Zero-day IE exploit..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
