Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? )
From: bipin gautam <visitbipin () yahoo com>
Date: Mon, 8 Nov 2004 05:07:45 -0800 (PST)

Reviewing all the latest IE advisories, i believe they
are in a way attacking M$. So that its coutomers are
forced to  choose another browser... due to the
security risks involved.

I will rate it as a birth of  "E" - GORILLA WAR
stratigy?   (o;   of the minorities.

 Can a company sue a person, for publishing
irresponsible sec. advisories as such? No offence. I
just wanna know your views. Afterall, the haxor is
reverse engineering the software. I don't know if M$
will ever fire a case against such ppl. in future with
a propaganda, TO PROTECT ITS USERS?

have your say?

bipin gautam
--- Berend-Jan Wever <skylined () edup tudelft nl> wrote:

Hi all,

In response to statements found at

 "Microsoft is concerned that this new report of a
vulnerability in
Internet Explorer was not disclosed responsibly,
potentially putting
computer users at risk," the company said in the
statement. "We believe
the commonly accepted practice of reporting
vulnerabilities directly to a
vendor serves everyone's best interests, by helping
to ensure that
customers receive comprehensive, high-quality
updates for security
vulnerabilities with no exposure to malicious
attackers while the patch
is being developed."

About "responsible disclosure":
The origional vulnerability was found and disclosed
by ned. As far as I
know, ned only knew he had found something that
crashed MSIE: a bug.
Microsofts concerns would suggest two options:
1) They expect everybody who finds a bug to
investigate the issue and act
according to the impact the problem might have on
security. I do not think
this is likely to happen unless everybody is
required to be a 1337
ubergeek before they are allowed to use MS software.
It's a nice goal to
aim for, but not very realistic.
2) You can not talk about your software crashing,
ever, unless it's to the
vendor: You might have stumbled upon a vulnerability
and if a malicous
attacker hears about it, he might use it.

About "commonly accepted practice of reporting
vulnerabilities directly to
a vendor":
When did they arrest all the black-hats ?

About "no exposure to malicious attackers while the
patch is being
Allthough I believe in responsible disclosure of
vulnerabilities, it DOES
NOT prevent malicious attackers to discover and
exploit the same
vulnerability while a patch is being developed.
Resonsible disclosure
decreases the chance of somebody hacking your system
while you are
vulnerable, it doesn't make it zero.

Anybody who understands basic bufferoverflow
techniques will be able to
write an exploit for this vulnerability. I did it in
a few minutes, so how
hard can it be ? I do not feel I disclosed anything
new, I just saved a
lot of people the trouble of writing it themselves.

The vulnerability has been rated "extremely
critical" since I released the
exploit. I say it was allready "extremely critical"
before ned disclosed
his information, only nobody knew it was there. It
was "extremely
critical" when ned did, but only a few could grasp
that. Then I explained
it was an easy to exploit bufferoverflow, it still
did not get much
Writing the exploit hasn't changed the flaw or it's
impact, it just
attracked the right amount of attention to the


Full-Disclosure - We believe in it.

Do you Yahoo!? 
Check out the new Yahoo! Front Page. 

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]