A Bug A Day in July

Started by TehBorken, Jul 15 06 06:11

Previous topic - Next topic

TehBorken

Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor [a href="http://www.securityfocus.com/news/11400/2"]raising the hackles of both browser vendors and criminals[/a]. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting (in fact, they aren't even trying)

Microsoft indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, stating "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

Except most if not ALL of these bugs have been reported to Microsoft, sometimes months ago and they're still not fixed. By comparison, bugs reported to the FireFox and Mozilla teams are often fixed in a day or two.

Here are the responses from the different browsers after recieving vulnerability reports:

Firefox: Fixed!
Opera: Fixed in 9.0!
IE: ...(4 months later) DUDE!? Why you have to go tattle on us!?

Clearly "in everyone's best interest" means "in Microsoft's interest."

The real trouble with reality is that there's no background music.