[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
From: Jedi/Sector One <j@pureftpd.org>
Date: Wed, 10 Dec 2003 14:05:47 +0059

On Wed, Dec 10, 2003 at 09:23:40AM +0100, Feher Tamas wrote:
> Unless the bug has already been exploited by malicious people, it was 
> a highly irresponsible act to disclose it to the public, without giving 
> Microsoft a reasonable timeframe to produce a fix.

  People know that new critical flaws are discovered in Internet Explorer
every week, but keep using this product.

  Who is to blame here?   

> It may even qualify as a crime!

  In this case, Microsoft is the actual criminal.

  To bring back the traditionnal car-vs-software parallel... Imagine that
Ford is selling cars that are known to have serious defects. Every week a new
serial defect is found (and even not by the manufacturer but by an
individual). And because of these defects, thousands of people are already
dead. Now, the defect-of-the-week is that when you say "booh!" to a Ford car,
it explodes 10 minutes later.

  Now when a car explodes because of that flaw, who is to blame?

- People who keep buying those cars while knowing they are playing the russian
roulette? Obviously.

- Ford that still keeps selling these cars (fixing some reported flaws,
ignoring some others, not really carefully testing anything themselves
before products hit the market) ? Obviously.

- A kiddy who notices the "booh!" bug by mistake and tells his friends (so
that the problem is known to the public instead of being silent, waiting for
a vendor fix and imagining that because the fix is there, everyone in the
planet will immediately apply it)? Obviously not.

  Past the marketing "Microsoft now focuses on security" craptalk, the
current situation regarding Internet Explorer is still the same for years.
Use it without Qwik-fix, an antivirus, a firewall and strong reflexion
before clicking anywhere and you are still vulnerable to trivial flaws. So
instead of blaming whoever found the IE bugs of the week, just switch to
other browsers.

  Best regards,

-- 
 __  /*-    Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com>    -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: Ricardo Moura <ricardo@microhardbr.com.br>

References:
- [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: Feher Tamas <etomcat@freemail.hu>

Prev by Date: RE: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
Next by Date: Re: [Full-Disclosure] Password quality?
Previous by thread: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by thread: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Index(es):
- Date
- Thread