Re: MSIE (mshtml.dll) OBJECT tag vulnerability

[Tim <tim-security () sentinelchicken org>]

> Full Disclosure is a good thing and anyone involved in the security
> community should be thankful for its existence!  If people actually believe
> that the 0-days posted to this list are all 100% unique.... all i can say is
> wow, you're disconnected.  

Ditto.

Case study:
At least twice in the last year, myself and coworkers have found
vulnerabilities in widely-deployed software while performing pentests,
only to find someone else posted the exact same flaws before we had a
chance to.  No, we didn't leak these holes, they were found
independently prior to us finding them.  I imagine this happens a lot.

Notifying a vendor prior to public disclosure probably helps the public
more than it hurts, at least initially.  But if one waits too long on
the vendor, someone else *will* find the hole and may decide to use it
for various nasties.  Knowing what that break-even point is in delaying
disclosure involves knowing many variables that can only be estimated.
Therefore the amount you "should" wait on a vendor to disclose is very
subjective even if we all agree we should be defending the public (which
on this list, is not the case).  So, why don't we stop arguing about it
and just deal with the information the best we can?


tim


PS- For those of you complaining about MZ, how long will you sit in
    Microsoft's frying pan[1]? Why not get out so you don't have to
    worry about it? 

1. http://www.clichesite.com/content.asp?which=tip+2858

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/