Bugtraq mailing list archives
Re: Internet Explorer 0day exploit
From: Bigby Findrake <bigby () ephemeron org>
Date: Wed, 18 Jul 2007 11:37:02 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 18 Jul 2007, Chris Stromblad wrote: <deletia>
One more thing about "advisories". I think it would be better to release them immediately and let people know what they are facing. With public dissemination of a vulnerability perhaps someone will release a 3rd party patch or another inventive way of protecting oneself. Holding it "secret" really doesn't help anyone.
With regards to your last statement, I would like to believe that that's so, or at least that if there is some harm in "early release" of information that that harm is mitigated (if not outright outweighed) by the potential good that's done by alerting the community and thereby allowing them to develop their own responses.
I guess what we're really talking about here is the perceived potential negative impact of letting the bad guys know that a vulnerability exists in space X (that they might then attempt to exploit where without that knowledge, they wouldn't try to exploit it even if it could be argued that they would attempt to find it) vs. the perceived potential good of allowing the good guys to attempt to formulate their own defenses tangential to some sort of "official" response.
It seems to me that without metrics (how many early release advisories turned into exploits that wouldn't have been created without said advisory?) that all discussion on this topic is either philosophical or academic (which is not to imply "without merit").
Anyways, enough ranting.
I, for one, enjoyed your rant.- -- Making files is easy under the UNIX operating system. Therefore, users
tend to create numerous files using large amounts of file space. It has been said that the only standard thing about all UNIX systems is the message-of-the-day telling users to clean up their files. -- System V.2 administrator's guide finger://ephemeron.org/bigby http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub news://news.ephemeron.org/alt.lemurs -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBRp5dzuG50ohcWywfEQIaGwCdFvAHqttbczpDKBmJXkJZrDf1/BgAnRzh tNxtwD2MTu+qYgDY0EpRCuC0 =xb3M -----END PGP SIGNATURE-----
Current thread:
- Re: Internet Explorer 0day exploit, (continued)
- Re: Internet Explorer 0day exploit Gadi Evron (Jul 17)
- Re: Internet Explorer 0day exploit Chris Stromblad (Jul 18)
- Re: Internet Explorer 0day exploit Zow (Jul 18)
- Re: Internet Explorer 0day exploit Chris Stromblad (Jul 20)
- Re: Internet Explorer 0day exploit Zow (Jul 19)
- Re: Internet Explorer 0day exploit Chris Stromblad (Jul 20)
- Re: Internet Explorer 0day exploit Chad Perrin (Jul 20)
- RE: Internet Explorer 0day exploit Ken Kousky (Jul 23)
- RE: Internet Explorer 0day exploit Hugo van der Kooij (Jul 24)
- RE: Internet Explorer 0day exploit Roger A. Grimes (Jul 24)
- Re: Internet Explorer 0day exploit Bigby Findrake (Jul 18)
- Re: Internet Explorer 0day exploit Chris Stromblad (Jul 20)
- Message not available
- Re: Internet Explorer 0day exploit Aaron Katz (Jul 23)
- Re: Internet Explorer 0day exploit Aaron Katz (Jul 23)