[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability

To: Larry Seltzer <larry@xxxxxxxxxxxxxxxx>
Subject: RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability
From: bruen@xxxxxxxxxxxx
Date: Wed, 26 Apr 2006 18:03:56 -0400 (EDT)


Hi Larry,

Take the Miller Analogy Test (MAT) and let me know how you make out.

The analogy was as a consumer paying for a product and having the flaws bepublic, for public safety. The products improve as the flaws arediscovered, publicized and corrected. The government has departments, likethe Consumer Product Safety folks, the Federal Drug Administration, theFederal Transportation Safety Board and others to do just that. It is agood analogy if you understand it.

The automobile was merely one example. Other examples might be medicines,locks, airplanes, buildings, guns, flashlights, baby foods, chips,clothing, fire extinguishers, cell phones, highways, bridges, kitchenappliances, ski lifts, bicycles, tractors, surgical procedures, boats andmany more in a very long list.

Actually, flaws in the locks in my car, plus kill switches, car alarms,etc. have been improved just so other people can not (at least not easily)steal my car (exploiting flaws) and then drive it where they want to go.


It's a good analogy. Software should not get a free pass.

                  cheers, bob

On Wed, 26 Apr 2006, Larry Seltzer wrote:

There aren't people out there looking to exploit the flaws in your car in
order to drive it where they want it to go. It's a lousy analogy.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer@xxxxxxxxxxxxx

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of
bruen@xxxxxxxxxxxx
Sent: Wednesday, April 26, 2006 4:25 PM
To: Tim Bilbro
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability


Hi Tim,

  Perhaps instead of viewing this as breaking into locked doors and look at
it as consumer product information, such as problems with my automobile, it
would not appear as such a big deal. I like product recalls and keeping
vendors honest. Product safety has improved significantly over the past 20
years because of the openness of the flaws. I am sure that software has and
will continue to benefit from full disclosure of their flaws.

                   cheers, bob


On Wed, 26 Apr 2006, Tim Bilbro wrote:

You do a disservice to all IT shops by announcing these
vulnerabilities before contacting the vendor. I am sure it would not
generate as much web traffic to your site, but it is only fair and
right to allow at least some amount of time for the vendor to respond.
If you think you are helping, you are wrong. Would you go around town
checking which stores are unlocked at night and then publish the list
in the news before letting the shop owners know? That's pretty much
what you are doing. It's just not helping. There is no proof that it is

either.


Tim Bilbro
Information Security Specialist
CISSP, MCSE
trbilbro@xxxxxxxxxxx
web: www.bloglines.com/blog/Bilbro
RSS: www.bloglines.com/blog/Bilbro/rss

--
Bob Bruen
Cold Rain Technologies
http://coldrain.net


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability
  - From: Michal Zalewski

Prev by Date: Re: [Full-disclosure] Should I Be Worried?
Next by Date: [Full-disclosure] Internet Explorer User Interface Races, Redeux
Previous by thread: Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability
Next by thread: RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability
Index(es):
- Date
- Thread