Devastating bug effects all recent versions of IE.

[Nothinman]

This is tight lipped. This is a solid method. The problem is, most of the white hats who find these exploits cant keep thier mouth's shut for any period of time. It's only human, they HAVE to tell someone and show off. I'd probably do the same thing. That said, it's very irresponsible behaviour.

Some also feel some discussion is warranted to decide if it's really a problem or not, not everything everyone finds as a bug is really exploitable or is dismissable for some other reason. And like you said MS dismissed this problem as not one the first time he told them about it, so you can't trust them to be honest about it.

I guess it's safe to assume the knowledge is in the wrong hands already. Might as well tell everyone........

It's always safe to assume the knowledge is in the wrong hands, just because a white hat reports it to MS or on BugTraq first doesn't mean they're the first to find it.

 

[Saltin]

To the best of my knowledge, the vulnerability we are discussing today was discovered on Nov 18. That's three weeks and change ago. I don't think it has been an unreasonable amount of time yet, especially, as you say, when you take the extensive testing required into account.
That said, I would expect a patch from MS in the very_near_future. Regardless of what the MS bashers like to say, things like this are usually patched in short order. Especially when compared to other development houses.

 

[n0cmonkey]

<< This is tight lipped. This is a solid method. The problem is, most of the white hats who find these exploits cant keep thier mouth's shut for any period of time. It's only human, they HAVE to tell someone and show off. I'd probably do the same thing. That said, it's very irresponsible behaviour.

Some also feel some discussion is warranted to decide if it's really a problem or not, not everything everyone finds as a bug is really exploitable or is dismissable for some other reason. And like you said MS dismissed this problem as not one the first time he told them about it, so you can't trust them to be honest about it. >>



And how many exploits out there were modified slightly to create anther problem? Sometimes the patches fix the real problem, and sometimes it only fixed the specific problem. Microsoft had problems with this before.



<< I guess it's safe to assume the knowledge is in the wrong hands already. Might as well tell everyone........

It's always safe to assume the knowledge is in the wrong hands, just because a white hat reports it to MS or on BugTraq first doesn't mean they're the first to find it. >>



Chances are there are plenty of exploits out there that no white hats will find for quite a while.

 

[n0cmonkey]

<< To the best of my knowledge, the vulnerability we are discussing today was discovered on Nov 18. That's three weeks and change ago. I don't think it has been an unreasonable amount of time yet, especially, as you say, when you take the extensive testing required into account.
That said, I would expect a patch from MS in the very_near_future. Regardless of what the MS bashers like to say, things like this are usually patched in short order. Especially when compared to other development houses. >>



3 weeks is not too long to wait, and in this situation the white hat may have been in the wrong. I wont make a definite judgement either way because I dont know enough about the situation. If I were in his shoes it would depend on the replies from Microsoft. But a nice quick fix would be nice. Maybe some way to get around having to worry about this problem while the patch is being worked on. Most developers that release patches dont do enough of this. OpenBSD was accused of something like this a while back when a patch took a while. If this bug is as big as it is made out to be, then 1 month would be quick for a GOOD fix, but 3 weeks is too long for a quick fix or warning.

 

[Saltin]

<< Some also feel some discussion is warranted to decide if it's really a problem or not, not everything everyone finds as a bug is really exploitable or is dismissable for some other reason. And like you said MS dismissed this problem as not one the first time he told them about it, so you can't trust them to be honest about it. >>



I believe discussion is important too, but not everyone should be included in that discussion. The (possible) exploit being examined could be extremely dangerous in the wrong hands.
Further, MS did dimiss the problem the first time, but I also stated that they later admitted thier error in doing so. What's not to trust there? People make mistakes like this often, regardless of who they work for. At least they were big enough to owe up to it.

Lets not talk about the exsistance of all the various exploits out there fellas. That's a fact of life and obvious to us all. Let's talk about this situation and the way MS is handling it.

 

[Nothinman]

Further, MS did dimiss the problem the first time, but I also stated that they later admitted thier error in doing so. What's not to trust there?

Because I don't believe MS dismissed the problem because they really believed it to be harmless. I admit I'm biased against MS, that's just my opinion of them.

Lets not talk about the exsistance of all the various exploits out there fellas. That's a fact of life and obvious to us all. Let's talk about this situation and the way MS is handling it.

But that's a big part of the discussion. If you assume there's already an exploit available somewhere it's in everyone's best interest to get knowledge about the bug in the mainstream so people can defend themselves (even if it means not using someting like IE or OE until a patch is out).