I've probably found a dozen or so security holes in Microsoft products. Many of these problems were reported on BugTraq list without full disclosure. How come so few people have ever approached me for the full details? I guess I don't see the same level of demand for full-disclosure as you do. However one thing is now crystal clear with Code Red: full-disclosure comes with one of hell of a price tag. There has to be a better way. Richard -----Original Message----- From: aleph1at_private [mailto:aleph1at_private] Sent: Friday, August 10, 2001 3:24 PM To: Richard M. Smith Cc: bugtraqat_private Subject: Re: Can we afford full disclosure of security holes? * Richard M. Smith (rmsat_private) [010810 19:19]: > For this particular IIS bug, it is all very simple. If you run IIS, > download the Microsoft patch! > > Buffer overflows are a dime a dozen. Who really cares about the > details of this particular problem other than Microsoft? Who cares? System administrators, security vendors, researchers, etc. Did you not read my message? All these people need the information. > Richard -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 17:19:09 PDT