Firefox buffer overflow and full disclosure
Posted Sep 16, 2005 21:20 UTC (Fri) by gerv
In reply to: Firefox buffer overflow and full disclosure
Parent article: Firefox buffer overflow and full disclosure
publically releasing the details of the flaw they discovered
is benefiting and protecting the users, NOT exposing them to any kind of
That's clearly not true. The more black hats know about the flaw, the more at risk users are. Claiming that releasing details while there's no patch available does not expose users to any extra risk at all is a ridiculous position, not even generally held by advocates of immediate disclosure (who normally say: "Yes, there's an extra risk, but it's worth it to kick the vendor into action").
In a few types of flaw, users can take action to protect themselves, but normally they are at the mercy of the vendor to provide a patch. So revealing the information to the user does not benefit them at all, because they are in exactly the same position as previously - waiting for their vendor. Except now there are more people who know how to attack them.
You seem to be laboring under the delusion
that the security hole doesn't exist until it has been publically disclosed...
I don't think my comments say that at all. I am merely making the point that the risk associated with a hole is equal to the severity of the problem multiplied by the number of people with evil intent who know about it. There are probably 100 holes in [pick-a-product-name] right now which are zero risk, because 0 people know about them - they haven't been discovered by anyone yet.
Again, in a limited number of cases, a hole has to be revealed when there's no patch because either the vendor is uncooperative or has made it clear they aren't going to produce a fix. But neither of those things was true in this case.
to post comments)