I am forwarding just one more post on this topic. It is a subject more appropiate for RISKS than BUGTRAQ but I'll use it as my soap box for the day. What follows is an anonymous message from an engineer at Microsoft in response to the original post that started this thread. ---------- Forwarded message ---------- I mostly want to address Geoffrey's concerns about the public statement for the "res://..." attack. I, too, was concerned to read the comment that [MS could only reproduce a crash, which is not a security problem]. I tracked down the author of that quote, which required about 2 hours of detective work, since there were many MS employees with the same last name. The person in question is _not_ a software engineer; he is a marketing type. He was quoted because a reporter phoned him directly. Instead of checking with a developer, he tried the example home page and noted that IE crashed for him. "Not a security hole," he thought. Sigh. By the time I contacted him, MANY other MS devs had already done so. The IE devs were well aware of the implications of the stack-smashing bug and were at work fixing it. Our marketer had already been sufficiently educated on the subject of crashes, security holes, and going on record with insufficient information. Lessons, believe it or not: MS engineers are not unaware of exploit techniques. Not all MS employees are engineers. MS employees quoted by magazines are almost never engineers. -------- End forwarded message -------- <SOAPBOX> Which brings me to my rant of the day. It seems to me that in the rush to the online world we have lost many things. In particular quality of almost any kind, the most obvious being the lack of any difference now a days between a beta or release software product. But the one I have in mind right now is a difference type of quality. That of quality jurnalism. All to often we see articles online that no paper based newspaper or magazine would publish. Now this is not to say that the are not high-quality jurnalist publishing online. I've actually had the please to chat with some. But there is something amiss. Maybe its the ethereal nature of the medium. After all once you print something on paper you can go back and recall the prints so you are forced to make sure your facts are correct before performing that last step. It is all to easy in online publications to update them and fix any errors or omisions after the fact. You also have each publishing house trying to beat each other on stories and datelines and all to often they use some PR or markething person as a source for technical information that the author does not understand to being with. But maybe its just me. </SOAPBOX> Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:35:19 PDT