Home page logo

fulldisclosure logo Full Disclosure mailing list archives

From: Leif Sawyer <lsawyer () gci com>
Date: Mon, 19 Jul 2004 12:07:04 -0800

On Mon, July 19, 2004, Eric Paynter replied to:
nicolas vigier, whom said:
The real solution is to use a browser with no known 
vulnerability (and that's better if it didn't have
a lot in the past), not to try to hide what you
are using.

That's not always possible. Sometimes, changing the browser 
is a project that will take months to complete (think: 
corporation with thousands of PCs at hundreds of sites - it 
takes time to create the business case, get funding, 
build/test the auto install package, retrain the end users, 
etc.). In the period of exposure, any little bit helps 
(albeit, minimally). This small change can probably be done 
in a couple of weeks with no impact to the user.

Not to mention all the vendors out there whose products have
assinine restrictions, because they can't be bothered to code
portable web-apps.

Think Cisco, for one.

I personally think that _EVERYBODY_ with a CCO contract should
open up a TAC case complaining that X-application (website,
RME, VMS, etc..) doesn't work with a W3C-Standards Compliant
browser, nor with latest-bug-fixed JREs.

I've already got mine open, but of course "Use I.E. or some
old version of Netscape Navigator, and an old JRE!" is the
typical response.   They need a lot more prodding to keep their
security platform up-to-date with security standards.

Attachment: smime.p7s

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]