Friday, July 15, 2005

Explaining Premature Disclosure for IE Flaw

Michal Zalewski discovers another image rendering bug that crashes Internet Explorer. says the flaw could be exploited by an attacker with a specially crafted JPEG picture to trigger a buffer overflow (code execution).

This portion of Zalewski's post is rather instructive:

"It is my experience that reporting and discussing security problems with Microsoft is a needlessly lengthy process that puts too much burden and effort on the researcher's end, especially if you just have a crash case, not a working exploit; hence, they did not get an advance notice."