Re: Zero-day IE exploit...

• Previous message: Galen: "Re: [OT] Silly (copyright?) claim by "Galen"."
• In reply to: Martin Spencer-Ford: "Re: Zero-day IE exploit..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Nov 2005 13:23:29 -0800

Martin Spencer-Ford wrote:
> Well here's my 2 pennies worth ....
>
> MS get told of the vulnerability maybe in a cryptic clue, such as there
> is a flaw in there chaps, can you see what it really is, i will give you
> 6 months to suss it, after all you do have the source code, and after
> all you have all these security evaluators checking your code, and
> telling the developers how to avoid the pitfalls, but if you can't
> manage to find it with all your extensive facilities and minds, then i
> will make it real clear for you.

That's a little optimistic. The reports sent to MSRC are not always clearly
written, with simple instructions on how to reproduce the problem. Often, a
crash is reported as a vulnerability, despite the gulf between the two -
there are many ways to crash a computer without introducing a vulnerability.
Despite this, every report sent to secure@microsoft.com gets an
investigation, with an engineer and a security program manager often
spending several days trying various scenarios that might be able to
reproduce the original problem, and communicating with the original
discoverer (where there is a return address) to try and nail down the extent
of the flaw.

> Now i have nothing but respect for the guys who take the time to reverse
> engineer and find these exploits, not because of the damage they can do,
> but for their skills, and i find it a crying shame that many use those
> skills to cause problems, but when you think of the total disregard of
> the EULA committed by these people, and with microsofts policy of being
> heavy handed with legal pursuits, its little wonder that there are few
> who want to work with them to reproduce the failures, its often easier
> to release the flaw and then merge back into the crowd, but with a smug
> grin of satisfaction, and a possible slap on the back from other
> exploiters.

Microsoft has spent (and continues to spend) a considerable amount of time
and effort reaching out to exploit discoverers, to allow them to engage with
Microsoft on a more direct, personal level, rather than the usual
"big-company" style of having an email drop-box that may, or more likely,
may not, be responded to.

If you're going to point out a company as the canonical "bad example", I'd
say Oracle fits that description far better.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
23921 57th Ave SE         | alun@wftpd.com.
Washington WA 98072-8661  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

• Previous message: Galen: "Re: [OT] Silly (copyright?) claim by "Galen"."
• In reply to: Martin Spencer-Ford: "Re: Zero-day IE exploit..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]