Re: IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006

To: Securityfocus <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006
From: Reversemode <advisories@xxxxxxxxxxxxxxx>
Date: Fri, 27 Oct 2006 19:14:36 +0200
In-reply-to: <87e395c80610261042n5f45d29ch2ea6f8fd1f3b0e62@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <87e395c80610261042n5f45d29ch2ea6f8fd1f3b0e62@xxxxxxxxxxxxxx>
Sender: Reversemode <advisories@xxxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.7 (Windows/20060909)

>"Let me sum up: in this case IE is vulnerable, only IE is vulnerable,
> and Microsoft say "These reports are technically inaccurate: the issue
> concerned in these reports is not in Internet Explorer 7 (or any other
> version) at all".

I assume that bugtraq is an objective security list. Subjective
opinions? I do not think so.

If you post saying "X" product is vulnerable, you should be able to
demonstrate it. From a security researcher standpoint,  the important
thing is where the flaw is located, since your products/company could be
exposing the flawed component through a bunch of attack vectors.
So let's imagine that Microsoft had released an advisory just saying
that the culprit is Internet Explorer ONLY. It wouldn't be very funny if
you are using that mhtml component within your own product, since you
would think: "Ok, no problem, IE is vulnerable ONLY". What would happen
if you have to write down a vulnerability report on it?.

Btw, you have censored an important part of the original "advisory" for
your own profit :

----
>"Let me sum up: in this case IE is vulnerable, only IE is vulnerable,
> and Microsoft say "These reports are technically inaccurate: the issue
> concerned in these reports is not in Internet Explorer 7 (or any other
> version) at all" -> "Rather, it is in a different Windows component,
specifically a component in Outlook Express. While these reports use
Internet Explorer as a vector the vulnerability itself is in Outlook
Express"
"
----

Attack vectors != vulnerabilities

For example, is a vuln within the Quicktime Browser plugin  the same
that a flaw within the own IE? I don't think so.

I am not defending Microsoft. I am defending that every
vendor/researcher should release proper advisories, i.e When Microsoft
hid information in a security bulletin  few months ago,( NtClose
DeadLock issue/MS06-30), I posted to the list  objective technical
details demonstrating it. If you have technical details demonstrating
that a shared component is not the culprit, but IE does, I'll shut up
myself. Frankly, I only trust in technical reasoning, I don't mind who
is the vendor.

Regards,
Rubén.

References:
- IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006
  - From: LIUDIEYU dot COM

Prev by Date: vulnerability in Symantec products
Next by Date: Re: [Full-disclosure] IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006
Previous by thread: IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006
Next by thread: Re: [Full-disclosure] IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006
Index(es):
- Date
- Thread