H.D. Moore, author of Metasploit, has decided that enough time has passed since he informed the various browser vendors about serious bugs, and has launched the month of browser bugs blog. “The vendors have been notified and the time has come to start publishing the results,” Moore said in a blog posting. “This information is being published to create awareness about the types of bugs that plague modern browsers, and to demonstrate the techniques I used to discover them.”

This blog contains one bug per day including exploit code. This newsfactor story has some details.

“The fact remains that the browsers have too many vulnerabilities and we are all better off if Moore exposes them before the criminals exploit them,” said Avivah Litan, an analyst at Gartner.

Are we really better off with these exploits now available to script kiddies? Or, do you agree with Andrew Jacquith, a Yankee Group analyst:

“I don’t know what H.D.’s process was—but it looks like the details are being made public before the vendors can release corresponding patches. So I’d say, ‘No, it’s not responsible disclosure.’”

This entry was posted on Friday, July 7th, 2006 at 1:46 pm by Peter Hesse and is filed under general. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.