[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
From: John Sage <jsage@finchhaven.com>
Date: Wed, 10 Dec 2003 08:54:38 -0800

Re: disclosure vs. non-disclosure and M$

On Wed, Dec 10, 2003 at 05:44:35AM -0800, S G Masood wrote:
> From: S G Masood <sgmasood@yahoo.com>
> Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing
>  vulnerability
> To: Feher Tamas <etomcat@freemail.hu>, full-disclosure@lists.netsys.com
> Date: Wed, 10 Dec 2003 05:44:35 -0800 (PST)
> 
> 
> --- Feher Tamas <etomcat@freemail.hu> wrote:
> > Hello,
> > 
> > >don't start a disclosure - non disclosure thread
> > again and again
> > and again please...
> > 
> > This is about responsible and non-responsible
> > disclosure, which is at 
> > the heart of security research.
> > 
> > As long as you have no proof that the bug is being
> > maliciously exploited 
> > in the wild, you need to give time for the sw vendor
> > to react and patch. 
> 
> If you are talking about a generic ethic, I sincerely
> agree. Slight deviations on this concept might apply
> depending on the vendor's track record and the
> vulnerability (I am not talking about MS alone). 
> 
> However, unfortunately, if you are familiar with the
> pattern in which MS handled the previous unpatched IE
> vulns, this looks like one of those IE vulns. that MS
> *WONT* patch.

With the virtually unlimited resources (financially and staff-wise)
available to Micro$oft, why has this sort of vulnerability been left
undiscovered and unpatched by Micro$oft itself?

Put a hundred people on the task of identifying any URL oddities that
IE currently accepts, and patch, patch, patch.

It would take less than a week to fix *all* of this sort of crap.

The fact that someone out in the community at large (once again)
discovers a vuln and publishes it is just an ongoing symptom of the
fundamental problem:

Micro$oft is involved with "Trustworthy Computing" only so much as it
plays well in a press release, and freely accepts the status quo only
so long as it doesn't negatively affect the bottom line.

- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: "Daniel H. Renner" <dan@losangelescomputerhelp.com>

References:
- [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: Feher Tamas <etomcat@freemail.hu>
- Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: S G Masood <sgmasood@yahoo.com>

Prev by Date: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by Date: Re: RE:Re: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
Previous by thread: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by thread: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Index(es):
- Date
- Thread