Re: Internet Explorer 0day exploit

[Chris Stromblad <cs () outpost24 com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Zow Terry Brugger wrote:
> > ideal world. Many of the advisories I look at almost always cover the
> > same type of vulnerability. Shouldn't we have learned by now, if we
> > consider your argument?
>
> It's been a while, but one of the great things I've seen Bugtraq used for is 
> to look at the distribution of vulnerabilities. In the past few years, my 
> perception is that there's been a decline in the number of buffer overflow 
> attacks and most of what we see today are web attacks like cross-site 
> scripting and remote file injection. Seeing these trends is important because 
> it tells us as a community where we need to focus our efforts.
>
> > However, perhaps one/I just need to shift the way I look at advisories.
> > Rather than seeing them as "late" and "out-of-date", they could be an
> > additional source of information about a particular system. I'll accept
> > that.
>
> That too. Let me tell you, if I ever need to set up a web forum for 
> something, I'm going to look at Bugtraq to see what the track record is for 
> the systems I'm considering.
>
> > are almost at the verge of being completely void. A remedy for that
> > would be to have the security community agree on a common "advisory
> > protocol" that defines a guideline for contents in an advisory. Anyways,
>
> Great idea! Much like the RFP vendor notification policy (Which I haven't 
> seen mentioned in a while, so I encourage everyone doing vulnerability 
> research to see http://www.wiretrip.net/rfp/policy.html). Anyone care to 
> propose a template (presumably if someone who the community respects does so, 
> it's more likely to catch on)?

Yes, ideally if someone with a bit of community credibility could step
up and propose a standard that certainly would kick start it a little bit.

Another great benefit of such a template would be consistency in layout
and contents. Also to improve the educational value of an advisory it
would be neat if an appropriate code-segment of the vulnerability could
be included. Now people will argue the whole intellectual property
aspect but I seriously doubt that 3-5 lines of code are going to affect
anything.

Let's do something about this!

> Terry
>
> import standard.disclaimer;

- --
Chris Stromblad (CEH)
Head of Security Services
Outpost24 UK

90 Long Acre
Covent Garden
London, WC2 E9RZ

- -------------------------
Tel: +44 (0) 207 849 3097
Dir: +44 (0) 208 099 6595
Fax: +44 (0) 207 849 3140
- -------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGoHDI+CG0a/ZJxn8RAhHEAJ437PJf7shw7gmnivqncIXEF4dZbQCgpaTK
3zxJsLOTxwb+TffwDQYsO6U=
=7uds
-----END PGP SIGNATURE-----