mailing list archives
Re: MSIE (mshtml.dll) OBJECT tag vulnerability
From: bkfsec <bkfsec () sdf lonestar org>
Date: Mon, 01 May 2006 16:58:04 -0400
Tim Bilbro wrote:
If a script kiddie wants to DoS a browser, there are very easy ways to
do so without resorting to arcane tricks. Resource consumption/misuse
has always been an easy game to master. I think that your example here
is a very very poor one. It's like saying that the fork bomb is a well
I don't think it is inevitable. Think about browser DoS vulnerabilties.
An stealth blackhat wouldn't bother with that type of exploit. It's
brute force, messy, doesn't get you root and it's trackable to some
degree. But, lesser hackers will immediately adopt exploits that just
crash the browser for example. So, by publishing that type of exploit
and labeling it crtical you create a new requirement for mitigation that
wouldn't otherwise be there.
It's inevitable. If it's a known hole anywhere, it's a matter of time
until it gets out.
The issues that count, the ones that both black hats and script kiddies
care about that get them access, they will always follow the pattern I
laid out because it's beneficial to the skilled black hats to do it that
I think it's a horrible idea that only creates people with a vested
interest in getting paid to hold vulnerabilities in secret. There's no
way to enforce its usage and as such it will never result in a lack of
disclosure. The "escrow" services will become targets of attacks and
eventually, because greed always wins, this new flashy database of
0-days will be sold off to the highest bidder.
Some have suggested a 'Vulnerability Escrow' A third party that tracks
and holds vulnerability discoveries and works with the vendor. I think
that is an idea worth exploring.
I think it's a monumentally bad idea to collect all vulnerability data
necessary for the company to fix their product in one place and leave it
in the hands of people who only have a monetary goal in their holding of
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/