Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IE7 is a Source of Problem - Secunia IE7 Release Incident of October

from [Reversemode] Network Security [Permanent Link]
Subject: Re: IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006
Date: Fri, 27 Oct 2006 19:14:36 +0200 
"Let me sum up: in this case IE is vulnerable, only IE is vulnerable,
and Microsoft say "These reports are technically inaccurate: the issue
concerned in these reports is not in Internet Explorer 7 (or any other
version) at all".


I assume that bugtraq is an objective security list. Subjective
opinions? I do not think so.

If you post saying "X" product is vulnerable, you should be able to
demonstrate it. From a security researcher standpoint,  the important
thing is where the flaw is located, since your products/company could be
exposing the flawed component through a bunch of attack vectors.
So let's imagine that Microsoft had released an advisory just saying
that the culprit is Internet Explorer ONLY. It wouldn't be very funny if
you are using that mhtml component within your own product, since you
would think: "Ok, no problem, IE is vulnerable ONLY". What would happen
if you have to write down a vulnerability report on it?.

Btw, you have censored an important part of the original "advisory" for
your own profit :

----

"Let me sum up: in this case IE is vulnerable, only IE is vulnerable,
and Microsoft say "These reports are technically inaccurate: the issue
concerned in these reports is not in Internet Explorer 7 (or any other
version) at all" -> "Rather, it is in a different Windows component,

specifically a component in Outlook Express. While these reports use
Internet Explorer as a vector the vulnerability itself is in Outlook
Express"
"
----

Attack vectors != vulnerabilities

For example, is a vuln within the Quicktime Browser plugin  the same
that a flaw within the own IE? I don't think so.

I am not defending Microsoft. I am defending that every
vendor/researcher should release proper advisories, i.e When Microsoft
hid information in a security bulletin  few months ago,( NtClose
DeadLock issue/MS06-30), I posted to the list  objective technical
details demonstrating it. If you have technical details demonstrating
that a shared component is not the culprit, but IE does, I'll shut up
myself. Frankly, I only trust in technical reasoning, I don't mind who
is the vendor.

Regards,
Rubén.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability, zdi-disclosures
Next by Date:  [Full-disclosure] Coppermine 1.4.9 SQL injection, disfigure
Previous by Thread:  Re: [Full-disclosure] IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006, HASEGAWA Yosuke
Next by Thread:  Re: [Full-disclosure] IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006, Jerome Athias
Indexes:  [Date] [Thread] [Top] [All Lists]