| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 51501 | 2004-11-22 21:02:00 | Microsoft says they were notified irresponsibly about new vulnerabilities | Chilling_Silence (9) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 295133 | 2004-11-22 21:02:00 | A new vulnerability in the way IE handles IFRAMES (techrepublic.com.com) has been discovered: The Redmond software giant also expressed concern that this was made public in an irresponsible way rather than notifying the vendor in private first, "potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed." How about we begin a movement to scrap IE, then exploits can be announced to whoever first and nobody will complain! |
Chilling_Silence (9) | ||
| 295134 | 2004-11-22 21:19:00 | I do believe that the appropiate people should be informed first but if no patch is available within a reasonable time frame then it should be made public. I would have thought that buffer overflows would be a thing of the past now after so much publicity over them. What is IE's tally this year? >How about we begin a movement to scrap IE, Thanks to Firefox it has already begun. |
mikebartnz (21) | ||
| 295135 | 2004-11-22 21:58:00 | > How about we begin a movement to scrap IE, then > exploits can be announced to whoever first and nobody > will complain! How about the Security industry get rewarded by Microsoft when reporting to MS first rather than exposing them, then we may see some pre-emptive behaviour on MS's behalf, because MS themselves are evidently incapable of being pro-active in this regard |
Greg S (201) | ||
| 295136 | 2004-11-23 00:54:00 | Opera Rocks ;) | HadO (796) | ||
| 295137 | 2004-11-23 01:07:00 | I've read a book by a guy who was appointed the security expert in Microsoft. Apparently he went round checking all the code looking for dangerous things and convincing people to change them. Of course this is unique in the industry and Mictosoft are the only company which produces secure code. :D I suspect the real problem is this: 1) It is possible to check for data too big for the allocated stroage. 2) There are safe versions of all the library string-copy routines (which is usually when the problem occurs). 3) the safe routines are a little bit slower than the unsafe ones. 4) there are a lot of calls to these routines. 5) new code is first made to work, then it's made to run in "real time". 6) if code is running slow, where is it spending the time? 7) "In my experience, we don't get buffer overflows here" 8) out go the safe calls. :-( 9) the code runs faster. :-) 10) the code is released to the world. :_| This one is in Java-Script. because its interpreted code, any time penalties are worse ... |
Graham L (2) | ||
| 1 | |||||