Re: Internet Explorer 0day exploit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Zow Terry Brugger wrote:
>> ideal world. Many of the advisories I look at almost always cover the
>> same type of vulnerability. Shouldn't we have learned by now, if we
>> consider your argument?
>
> It's been a while, but one of the great things I've seen Bugtraq used for is
> to look at the distribution of vulnerabilities. In the past few years, my
> perception is that there's been a decline in the number of buffer overflow
> attacks and most of what we see today are web attacks like cross-site
> scripting and remote file injection. Seeing these trends is important because
> it tells us as a community where we need to focus our efforts.
>
>> However, perhaps one/I just need to shift the way I look at advisories.
>> Rather than seeing them as "late" and "out-of-date", they could be an
>> additional source of information about a particular system. I'll accept
>> that.
>
> That too. Let me tell you, if I ever need to set up a web forum for
> something, I'm going to look at Bugtraq to see what the track record is for
> the systems I'm considering.
>
>> are almost at the verge of being completely void. A remedy for that
>> would be to have the security community agree on a common "advisory
>> protocol" that defines a guideline for contents in an advisory. Anyways,
>
> Great idea! Much like the RFP vendor notification policy (Which I haven't
> seen mentioned in a while, so I encourage everyone doing vulnerability
> research to see http://www.wiretrip.net/rfp/policy.html). Anyone care to
> propose a template (presumably if someone who the community respects does so,
> it's more likely to catch on)?
Yes, ideally if someone with a bit of community credibility could step
up and propose a standard that certainly would kick start it a little bit.
Another great benefit of such a template would be consistency in layout
and contents. Also to improve the educational value of an advisory it
would be neat if an appropriate code-segment of the vulnerability could
be included. Now people will argue the whole intellectual property
aspect but I seriously doubt that 3-5 lines of code are going to affect
anything.
Let's do something about this!
>
> Terry
>
> import standard.disclaimer;
>
- --
Chris Stromblad (CEH)
Head of Security Services
Outpost24 UK
90 Long Acre
Covent Garden
London, WC2 E9RZ
- -------------------------
Tel: +44 (0) 207 849 3097
Dir: +44 (0) 208 099 6595
Fax: +44 (0) 207 849 3140
- -------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGoHDI+CG0a/ZJxn8RAhHEAJ437PJf7shw7gmnivqncIXEF4dZbQCgpaTK
3zxJsLOTxwb+TffwDQYsO6U=
=7uds
-----END PGP SIGNATURE-----