[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
From: Jedi/Sector One <j@pureftpd.org>
Date: Wed, 10 Dec 2003 23:49:03 +0100

On Wed, Dec 10, 2003 at 09:34:04PM +0000, petard wrote:
> It means balancing customer demand (the
> amount of money to be made) against the cost of fulfilling that demand

  To be fair, do you really think that fixing all currently known, but
still unfixed bugs would cost millions of dollars?

  Does hiring people like Lyu Die Lu costs millions of dollars?

  Do you seriously think that fixing the 0x01 issue requires more than 10
lines of code? And that releasing the binary patches takes months of hard
work and a lot of money?

  Yes, it means balancing customer demand against costs, but both have to be
in the same order of magnitude to be comparable. At a cost that is just like
zero for a corp like Microsoft, they could release a patch for the 0x01
issue in 24h. And in return they get more trust from users, which is
something they may need in the long term. But they don't care and they even
announced that no new fix will be released before 2004.

> So the answer is not "They simply don't want it fixed."

  Internet Explorer is a special case. It just sounds as if Microsoft
doesn't want to maintain the product any more since the very first version
of IE 6. As if some day, Bill said "ok, let's freeze everything. Stop
working on IE, just take the current state of the CVS tree and it will
remain the same during 10 years".

  There have been no actual improvement in Internet Explorer since the first
release of IE 6. No tabs, no proper PNG support while all other browsers do.
Worse : support for stylesheets really looks like unfinished work. Basic
features are missing, other are totally buggy. Webmasters need to waste time
in order to add tons of ugly hacks to let IE render something coherent.
These bugs are obvious, really nasty, discussed everywhere and dealing with
them costs money to people. Years after, nothing changed. And finally,
Microsoft officially announces that there will be no more IE release until
Longhorn (2008 ?).

  Critical functionnal bugs are left as is, critical security bugs are just
fixed occasionnally, and thanks to other people for finding them.

  Internet Explorer is obviously unmaintained software.

  Best regards,

-- 
 __  /*-    Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com>    -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: Valdis.Kletnieks@vt.edu

References:
- [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: Feher Tamas <etomcat@freemail.hu>
- Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: S G Masood <sgmasood@yahoo.com>
- Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: John Sage <jsage@finchhaven.com>
- Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: "Daniel H. Renner" <dan@losangelescomputerhelp.com>
- Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: petard <petard@freeshell.org>

Prev by Date: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by Date: [Full-Disclosure] MDKSA-2003:114 - Updated ethereal packages fix multiple remotely exploitable vulnerabilities
Previous by thread: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by thread: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Index(es):
- Date
- Thread