Create an Account
username: password:
 
  MemeStreams Logo

MemeStreams Discussion

search


This page contains all of the posts and discussion on MemeStreams referencing the following web page: Vuln Disclosure? WTF?. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Vuln Disclosure? WTF?
by Acidus at 10:41 am EST, Jan 8, 2007

-- Disclosure Timeline:
2006.02.27 - Pre-existing digital Vaccine released to TippingPoint
customers
2006.08.31 - Vulnerability reported to vendor
2006.12.12 - Coordinated public release of advisory

I noticed this in a vuln report for a remote code execution in JavaScript for IE. Maybe this is a mistake, but it appears that TippingPoint aka 3Com took steps to protect/secure their customers 6 months before even reporting the issue.

Surely this cannot be a standard security practice. Is this what corporate 0-day purchasing has forced?


 
RE: Vuln Disclosure? WTF?
by Decius at 11:27 am EST, Jan 8, 2007

Acidus wrote:

-- Disclosure Timeline:
2006.02.27 - Pre-existing digital Vaccine released to TippingPoint
customers
2006.08.31 - Vulnerability reported to vendor
2006.12.12 - Coordinated public release of advisory

I noticed this in a vuln report for a remote code execution in JavaScript for IE. Maybe this is a mistake, but it appears that TippingPoint aka 3Com took steps to protect/secure their customers 6 months before even reporting the issue.

Surely this cannot be a standard security practice. Is this what corporate 0-day purchasing has forced?

It means they are claiming the vulnerability is covered by some generic javascript shellcode signature that was written a long time before they'd ever heard of this vulnerability.


  
RE: Vuln Disclosure? WTF?
by Acidus at 1:37 pm EST, Jan 8, 2007

Decius wrote:

Acidus wrote:

-- Disclosure Timeline:
2006.02.27 - Pre-existing digital Vaccine released to TippingPoint
customers
2006.08.31 - Vulnerability reported to vendor
2006.12.12 - Coordinated public release of advisory

I noticed this in a vuln report for a remote code execution in JavaScript for IE. Maybe this is a mistake, but it appears that TippingPoint aka 3Com took steps to protect/secure their customers 6 months before even reporting the issue.

Surely this cannot be a standard security practice. Is this what corporate 0-day purchasing has forced?

It means they are claiming the vulnerability is covered by some generic javascript shellcode signature that was written a long time before they'd ever heard of this vulnerability.

Ahhhh.. Much clearer. Thanks


 
 
Powered By Industrial Memetics