[17818] in bugtraq
Re: Submission
daemon@ATHENA.MIT.EDU (Ryan Russell)
Tue Nov 28 16:08:52 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.21.0011272145560.2234-100000@mail>
Date: Mon, 27 Nov 2000 22:01:25 -0800
Reply-To: Ryan Russell <ryan@SECURITYFOCUS.COM>
From: Ryan Russell <ryan@SECURITYFOCUS.COM>
X-To: hellnbak@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200011271750.JAA07214@user3.hushmail.com>
On Mon, 27 Nov 2000 hellnbak@HUSHMAIL.COM wrote:
> OK, with that being said many of you are probably thinking that Georgi is
> not allowed to
> cooperate with Microsoft because of his job with Netscape/AOL. To be blunt,
> this is
> nothing more than a lame excuse. Companies work with their competitors
> over security
> holes constantly. In fact, I have seen advisories (the recent MS Network
> Monitor ones as an
> example) that contain issues worked on by two very competitive companies,
> ISS and NAI.
As a counter-example, our vulnhelp folks tried to coordinate a vuln
release recently that had to do with the locale bug in (g)libc that
affected most unix vendors, discovered by CoreSDI. Some Linux vendors
jumped the gun. I suspect the idea of waiting on other (competing?)
vendors to get their fix together, when someone is ready to go, is a new
thing for them. It's been a couple months, and Sun still isn't quite
done. I don't expect the Linux folks would have waited too long, and I
don't think we would have expected them to wait 2 months. We'll all
probably have to go thorugh a few iterations of this type of thing before
it works itself out.
Having said that, I don't think that has anything to do with Georgi's
decision on when to release. If you check out his web pages
(guninski.com) You'll see that he has 16 Netscape vulns in addition to the
~40 IE holes. This probably has to do with the fact that IE just
encompases a larger set of functionality, and therefore provides a
potentially greater source of holes, and is probably just more interesting
to research.
> I know a lot of you are probably thinking that this rant is pointed directly
> at Georgi and I guess
> it is as he is probably the largest offender. Georgi, take this message
> for what it is worth, you
> are no longer doing the security industry a service, you are letting people
> know that AOL/Netscape and
> their big pockets can take a once respected person and obviously very intelligent
> security professional
> and use them to do their bidding.
>
Netscape doesn't need Georgi's help looking bad. Once they stopped
acknowledging bugs in their browser and releasing fixes in a timely
manner, they clearly communicated their feelings on security. I'm
impatient for Mozilla. I hope that the bloated piece of software that
barely runs called Netscape 6 doesn't reflect the state of the Mozilla
project.
Ryan
