Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: MSIE (mshtml.dll) OBJECT tag vulnerability
From: "Tim Bilbro" <trbilbro () verizon net>
Date: Thu, 27 Apr 2006 14:40:56 -0400

Setting aside analogies, the questions remain: Does full disclosure make
the IT community as whole less secure than it would otherwise would be?
Is it more dangerous to have a handfull of sophisticated blackhats
lurking about with an unknown exploit vs. publishing it for every
wannabe hacker to use?  I am confident that the answer is that fully
disclosing discovered vulnerabilites without first giving the vendor a
reasonable chance to address them is more harmful. There is no question
that vendors, particulary Microsoft, have a history of neglect in this
area, and folks have a right to be angry with them. Unfortunately, full
disclosure doesn't hurt them as much as it hurts the information
security community as a whole. While not patronizing the vendor because
of the neglect is the most logical choice, it is an impracticality for
many. I don't question the right or ethics of full disclosure. It's just
pain in the neck that might otherwise be avoided or at least minimized.
It's not helping.

-----Original Message-----
From: Larry Seltzer [mailto:larry () larryseltzer com] 
Sent: Wednesday, April 26, 2006 4:34 PM
To: bob () coldrain net; 'Tim Bilbro'
Cc: full-disclosure () lists grok org uk
Subject: RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag
vulnerability


There aren't people out there looking to exploit the flaws in your car
in order to drive it where they want it to go. It's a lousy analogy.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of
bruen () coldrain net
Sent: Wednesday, April 26, 2006 4:25 PM
To: Tim Bilbro
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag
vulnerability


Hi Tim,

   Perhaps instead of viewing this as breaking into locked doors and
look at it as consumer product information, such as problems with my
automobile, it would not appear as such a big deal. I like product
recalls and keeping vendors honest. Product safety has improved
significantly over the past 20 years because of the openness of the
flaws. I am sure that software has and will continue to benefit from
full disclosure of their flaws.

                    cheers, bob


On Wed, 26 Apr 2006, Tim Bilbro wrote:

You do a disservice to all IT shops by announcing these
vulnerabilities before contacting the vendor. I am sure it would not 
generate as much web traffic to your site, but it is only fair and 
right to allow at least some amount of time for the vendor to respond.

If you think you are helping, you are wrong. Would you go around town 
checking which stores are unlocked at night and then publish the list 
in the news before letting the shop owners know? That's pretty much 
what you are doing. It's just not helping. There is no proof that it
is
either.

Tim Bilbro
Information Security Specialist
CISSP, MCSE
trbilbro () verizon net
web: www.bloglines.com/blog/Bilbro
RSS: www.bloglines.com/blog/Bilbro/rss


--
Bob Bruen
Cold Rain Technologies
http://coldrain.net
+1.802.579.6288

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault