Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: MSIE (mshtml.dll) OBJECT tag vulnerability
From: bkfsec <bkfsec () sdf lonestar org>
Date: Mon, 01 May 2006 16:58:04 -0400

Tim Bilbro wrote:

I don't think it is inevitable. Think about browser DoS vulnerabilties.
An stealth blackhat wouldn't bother with that type of exploit. It's
brute force, messy, doesn't get you root and it's trackable to some
degree. But, lesser hackers will immediately adopt exploits that just
crash the browser for example. So, by publishing that type of exploit
and labeling it crtical you create a new requirement for mitigation that
wouldn't otherwise be there.
If a script kiddie wants to DoS a browser, there are very easy ways to do so without resorting to arcane tricks. Resource consumption/misuse has always been an easy game to master. I think that your example here is a very very poor one. It's like saying that the fork bomb is a well guarded secret.

It's inevitable. If it's a known hole anywhere, it's a matter of time until it gets out. The issues that count, the ones that both black hats and script kiddies care about that get them access, they will always follow the pattern I laid out because it's beneficial to the skilled black hats to do it that way.
Some have suggested a 'Vulnerability Escrow' A third party that tracks
and holds vulnerability discoveries and works with the vendor. I think
that is an idea worth exploring.
I think it's a horrible idea that only creates people with a vested interest in getting paid to hold vulnerabilities in secret. There's no way to enforce its usage and as such it will never result in a lack of disclosure. The "escrow" services will become targets of attacks and eventually, because greed always wins, this new flashy database of 0-days will be sold off to the highest bidder.

I think it's a monumentally bad idea to collect all vulnerability data necessary for the company to fix their product in one place and leave it in the hands of people who only have a monetary goal in their holding of that data.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]