Saturday, July 15, 2006

Responsible disclosure

At the risk of offending the usual parties, let me state that I'm getting tired of a certain vendor trotting out the "we're disappointed in the lack of responsible disclosure" line. What's not said in the article is: the vendors were notified previously, most of the vulnerabilities are not readily "usuable", and the white hats listed in the article are those at MS, not all white hats.

The question that people should be asking is: if Firefox and Opera can keep up with applying fixes, why can't IE?

For those of us that have to eat antacid while waiting for the vulnerabilities to be patched: for many of the vulnerabilities, the work-around is "turn off ActiveX".