Bugtraq mailing list archives

Re: Internet Explorer 0day exploit

From: Bigby Findrake <bigby () ephemeron org>
Date: Wed, 18 Jul 2007 11:37:02 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 18 Jul 2007, Chris Stromblad wrote:

<deletia>

One more thing about "advisories". I think it would be better to release
them immediately and let people know what they are facing. With public
dissemination of a vulnerability perhaps someone will release a 3rd
party patch or another inventive way of protecting oneself. Holding it
"secret" really doesn't help anyone.

With regards to your last statement, I would like to believe that that'sso, or at least that if there is some harm in "early release" ofinformation that that harm is mitigated (if not outright outweighed) bythe potential good that's done by alerting the community and therebyallowing them to develop their own responses.

I guess what we're really talking about here is the perceived potentialnegative impact of letting the bad guys know that a vulnerability existsin space X (that they might then attempt to exploit where without thatknowledge, they wouldn't try to exploit it even if it could be argued thatthey would attempt to find it) vs. the perceived potential good ofallowing the good guys to attempt to formulate their own defensestangential to some sort of "official" response.

It seems to me that without metrics (how many early release advisoriesturned into exploits that wouldn't have been created without saidadvisory?) that all discussion on this topic is either philosophical oracademic (which is not to imply "without merit").

Anyways, enough ranting.


I, for one, enjoyed your rant.

- --Making files is easy under the UNIX operating system. Therefore, users

tend to create numerous files using large amounts of file space.  It
has been said that the only standard thing about all UNIX systems is
the message-of-the-day telling users to clean up their files.
               -- System V.2 administrator's guide

finger://ephemeron.org/bigby
http://www.ephemeron.org/~bigby/
irc://irc.ephemeron.org/#the_pub
news://news.ephemeron.org/alt.lemurs


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBRp5dzuG50ohcWywfEQIaGwCdFvAHqttbczpDKBmJXkJZrDf1/BgAnRzh
tNxtwD2MTu+qYgDY0EpRCuC0
=xb3M
-----END PGP SIGNATURE-----

Current thread:

Re: Internet Explorer 0day exploit, (continued)
- - - Re: Internet Explorer 0day exploit Gadi Evron (Jul 17)
    - Re: Internet Explorer 0day exploit Chris Stromblad (Jul 18)
    - Re: Internet Explorer 0day exploit Zow (Jul 18)
    - Re: Internet Explorer 0day exploit Chris Stromblad (Jul 20)
    - Re: Internet Explorer 0day exploit Zow (Jul 19)
    - Re: Internet Explorer 0day exploit Chris Stromblad (Jul 20)
    - Re: Internet Explorer 0day exploit Chad Perrin (Jul 20)
    - RE: Internet Explorer 0day exploit Ken Kousky (Jul 23)
    - RE: Internet Explorer 0day exploit Hugo van der Kooij (Jul 24)
    - RE: Internet Explorer 0day exploit Roger A. Grimes (Jul 24)
    - Re: Internet Explorer 0day exploit Bigby Findrake (Jul 18)
    - Re: Internet Explorer 0day exploit Chris Stromblad (Jul 20)
    - Message not available
    - Re: Internet Explorer 0day exploit Aaron Katz (Jul 23)
    - Re: Internet Explorer 0day exploit Aaron Katz (Jul 23)
- Re: Re: Internet Explorer 0day exploit piercede (Jul 23)