mailing list archives
Re: MSIE (mshtml.dll) OBJECT tag vulnerability
From: Tim <tim-security () sentinelchicken org>
Date: Thu, 27 Apr 2006 18:37:58 -0400
Full Disclosure is a good thing and anyone involved in the security
community should be thankful for its existence! If people actually believe
that the 0-days posted to this list are all 100% unique.... all i can say is
wow, you're disconnected.
At least twice in the last year, myself and coworkers have found
vulnerabilities in widely-deployed software while performing pentests,
only to find someone else posted the exact same flaws before we had a
chance to. No, we didn't leak these holes, they were found
independently prior to us finding them. I imagine this happens a lot.
Notifying a vendor prior to public disclosure probably helps the public
more than it hurts, at least initially. But if one waits too long on
the vendor, someone else *will* find the hole and may decide to use it
for various nasties. Knowing what that break-even point is in delaying
disclosure involves knowing many variables that can only be estimated.
Therefore the amount you "should" wait on a vendor to disclose is very
subjective even if we all agree we should be defending the public (which
on this list, is not the case). So, why don't we stop arguing about it
and just deal with the information the best we can?
PS- For those of you complaining about MZ, how long will you sit in
Microsoft's frying pan? Why not get out so you don't have to
worry about it?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: MSIE (mshtml.dll) OBJECT tag vulnerability meta security (Apr 27)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability, (continued)
RE: MSIE (mshtml.dll) OBJECT tag vulnerability Tim Bilbro (Apr 27)
Re: MSIE (mshtml.dll) OBJECT tag vulnerability 0x80 (Apr 28)
Re: MSIE (mshtml.dll) OBJECT tag vulnerability 0x80 (Apr 30)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Tim (Apr 27)