| |
|
This page contains all of the posts and discussion on MemeStreams referencing the following web page: Vuln Disclosure? WTF?. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.
|
Vuln Disclosure? WTF?
by Acidus at 10:41 am EST, Jan 8, 2007 |
-- Disclosure Timeline:
2006.02.27 - Pre-existing digital Vaccine released to TippingPoint
customers
2006.08.31 - Vulnerability reported to vendor
2006.12.12 - Coordinated public release of advisory
I noticed this in a vuln report for a remote code execution in JavaScript for IE. Maybe this is a mistake, but it appears that TippingPoint aka 3Com took steps to protect/secure their customers 6 months before even reporting the issue. Surely this cannot be a standard security practice. Is this what corporate 0-day purchasing has forced? |
| |
RE: Vuln Disclosure? WTF?
by Decius at 11:27 am EST, Jan 8, 2007 |
Acidus wrote: -- Disclosure Timeline:
2006.02.27 - Pre-existing digital Vaccine released to TippingPoint
customers
2006.08.31 - Vulnerability reported to vendor
2006.12.12 - Coordinated public release of advisory
I noticed this in a vuln report for a remote code execution in JavaScript for IE. Maybe this is a mistake, but it appears that TippingPoint aka 3Com took steps to protect/secure their customers 6 months before even reporting the issue. Surely this cannot be a standard security practice. Is this what corporate 0-day purchasing has forced?
It means they are claiming the vulnerability is covered by some generic javascript shellcode signature that was written a long time before they'd ever heard of this vulnerability. |
|
| | |
RE: Vuln Disclosure? WTF?
by Acidus at 1:37 pm EST, Jan 8, 2007 |
Decius wrote: Acidus wrote: -- Disclosure Timeline:
2006.02.27 - Pre-existing digital Vaccine released to TippingPoint
customers
2006.08.31 - Vulnerability reported to vendor
2006.12.12 - Coordinated public release of advisory
I noticed this in a vuln report for a remote code execution in JavaScript for IE. Maybe this is a mistake, but it appears that TippingPoint aka 3Com took steps to protect/secure their customers 6 months before even reporting the issue. Surely this cannot be a standard security practice. Is this what corporate 0-day purchasing has forced?
It means they are claiming the vulnerability is covered by some generic javascript shellcode signature that was written a long time before they'd ever heard of this vulnerability.
Ahhhh.. Much clearer. Thanks |
|
|
|
