[SNIP] > > However, a security vulnerability is not, in itself, harmful. What *is* > harmful about a security vulnerability are individuals who wish to exploit > the flaw. Therefore, the harm from a vulnerability increases dramatically > if more people with the ability to exploit the vulnerability are aware of > it. This includes exploiting the flaw through pre-written exploit code of > some kind. This harm is especially great if administrators are exposed > with a known-good workaround. Therefore, vendor communication is the > *preferred* method of dealing with security flaws, at least in the short > term. However, if it becomes obvious that the vendor does not wish to > resolve the vulnerability at hand, it should be disclosed. However, > workarounds should be available so that the added information actually has > the ability to help the administrator. >
Nice tunnel vision, one sided interpretations often tend bolster humor at least. Let's face it, from the otherside of the coin, and of course this coin is more then two sided for sure, hell this whole discussion has been going on for more then 20+ years, prior to the morris worm, but, I digress. The spread of information not only supplies all the lamesters wishing to exploit and ow3n what's not theirs, but, also feeds information to those tasked to fend off those with less then bright lights and wanting what's not theirs. Now, feeding that info to a vendors might not get the info out to the masses of their clients, cause, damn, why would they want to risk losing customers over an issue? They sure do not need to be harrassed with tons of e-mails from various clients about when a fix might come down the pipes, and certainly have no time to talk to any press on the matter while doing some tongue and cheek about "secure computing innitiatives". Certainly the founding issues that brought about the 'original' bugtraq and many of the newer lists like this very one, are promoted by vendors that tend to hide and sit upon information about weaknesses in their products. They tend to cry "foul" alot, and then often tend to follow through not with work to fix their products, but with threats and lawsuits, right snosoft? Folks forget too quickly the minor fallout they had with HP... > While there is some argument about what makes a vendor un-responsive, patch > times in this case are, likely and understandably, quite lengthy. Now we add over generalising to tunnel vision. It depends upon the issue at hand, often the whole fix might be nothing more then removing the suid bits, or something else as trivial... > These > fixes are not trivial to begin with, thanks in no small part to the > incredible number of customers Microsoft has. So, now we are at a pass in a trail, but, since we've gone about nearly blind, why open our eyes at this point!? Had security been a prime motivator in the early M$ days, they might not be so hindered now by zillions of lines of insecure code! > As if the literally millions > of configurations Microsoft software must support weren't enough, think for > a second about the multiple different character sets its code applies to. > Even the *DOCUMENTATION* for the patch must be translated into dozens of > different languages -- no small task with exploitation looming on the > horizon. However, it is obvious that in this case, the reporter did not > attempt any contact with Microsoft what-so-ever. As a user of IE myself, I > find it ridiculous that this course of action was even considered. > And the users that refuse at any cost to have to work with IE in any way shape or form, they chuckle each time those that "remain loyal" spew private information to the unintended eachtime the product is re-exploited, which seems to be about once every 2-4 weeks. > And, last but not least, I don't drink. :-) > You might want to take it up <smile>, viewing from another perspective might add some clarity... > >Some day, m$ will call irresponsible the wrong people, and then, some > >of us will enjoy the fun. > > Might I suggest that someone who would share details with people interested > in exploiting the flaw, before people that flaw might affect, truly *IS* > irresponsible? With that in mind, it doesn't seem like Microsoft would be > wrong at all to call someone who would consider such a course of action > irresponsible. In fact, this is probably exactly what the reporter was > hoping for -- not caring about the established disclosure process, seeking > instead to increase his/her own standing by antagonizing a major company, > at the expense of its millions of customers. While I cannot speak for the > philosophies of other researchers, it is my firm belief that a policy which > exposes millions of systems to exploitation without providing feasible > alternatives for any of them is not only irresponsible, it is negligent. > The debate will rage on for many more years. But allowing M$ and various other vendors to cry foul when information about their lack of pride and responsibility to produce something other then mere crap for big bucks to their clients puts them on par with the spammers and lamers their code tends to foster. Seems to take far less lines of code to create and foster an exploit upon the computing public then the number of it takes lawyers/politicians to screw lightbulbs. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html