[VIM] new strategy for dealing with pesky vulnerabilities
jms at bughunter.ca
Mon Oct 8 16:38:23 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Is it any wonder that the faith in responsible disclosure is waning? Who
are you protecting by giving this to a company like HP and praying to
the Greek goddess Vulnerabilica and hoping they will fix it. Meanwhile,
if after 6 months you drop a 0-day because they haven't done anything,
they might just move on it. But then of course you get absolutely flamed
for being a black-hat.....oh well its Thanksgiving here today, turkey
will make me feel better.
security curmudgeon wrote:
> 11/02/2004 Initial vendor notification
> 11/03/2004 Initial vendor response
> 12/19/2005 Second vendor notification
> 01/30/2007 Third vendor notification
> 01/30/2007 Third vendor response
> 04/25/2007 Status update requested
> 06/08/2007 Status update requested
> 07/24/2007 Status update requested
> 07/30/2007 Vendor stated product's support ended in 2002
> 08/06/2007 Vendor communicated their response
> 08/07/2007 Coordinated public disclosure
> November 2, 2004, HP is informed of the vulnerability in HP-UX 11.11i.
> Almost three years later, HP says "product's support ended in 2002".
> Also from the advisory:
> Hewlett-Packard states that this product is obsolete and no longer
> supported. They have no plans to release a patch or advisory. They
> further stated that the version of HP-UX used to verify this
> vulnerability is also obsolete.
> "HP simply recommends that customers upgrade to a currently supported OS
> release and to some other tool, if one is available."
> So it took HP almost three years to realize the software was no longer
> supported and say that is a solution?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the VIM