mailing list archives
From: "Eric Lauzon" <eric.lauzon () abovesecurity com>
Date: Fri, 12 Nov 2004 16:47:45 -0500
Security dosent mean functionality.
You have to make a choice.
Like when you vote for an election.
Now as with any os windows/IE will be
secure if you cut down functionality.
If you think everyone's windows desktop should be
secured as lets say with irony, *bsd or linux or *nix even.
(LOL as if its been so flawless and so innovative),
Do you think every one would be using computers as
it is today.
So if your not smart enough to secure your self
to prevent problems dont assume software vendors
to take your hand and remove functionality so you
can be secure.
Whinning about a simple bug eventho it can have
alot of impact is not whats gonna get you protected.
What about those N other bugs in all other software
Functionality VS SECURITY (PERIOD)
The industry of security is pushing,
software vendor are not following,
some people want to have part in the
industry only for the money and the fame,
most of them post on ML so they get attention
you see people trying to scare you with funky
client side bugs as if other client software
for other purpose are immuned ... :) its
all about trust.
I think they should lay back and try some test
senario before saying its the ultimate bug
yet ive not seen a variation of the IE exploit
being able to exploit IE without scripting enabled
And im not taking about cross-zone where it would
go into the intranet zone and then exploit the bug
using IFRAME exploit. Because if you do that
but scripting is disabled in the INTRANET zone
you will hit a dead end also. Im only writing this
because ive seen hype and scared people arround the subject
but ive yet to see an analysis if the situation that explain
why that bug do not work when the web site IS NOT TRUSTED.
Anyone want to prove the opposite?!
ps: dont exploit my grammar :)
Full-Disclosure - We believe in it.
- Seriously IE/FAME/BASHING Eric Lauzon (Nov 13)