you could simply have announced that a vuln existed in w32k w/o giving details. Would have been a lot less dangerous
-
-
Replying to @hsultan75 @revskills
FWIW, Project Zero has nothing to do with the win32k stuff you're referring to...
2 replies 0 retweets 0 likes -
.. but I'd be interested to hear your views on the 'additional danger' - I see it as a balancing act, overall.
1 reply 0 retweets 0 likes -
Replying to @benhawkes @revskills
you provided no mitigation and gave vuln details => malware can start using it and no way for users to protect
3 replies 0 retweets 0 likes -
Replying to @hsultan75 @revskills
An attacker needs to perform additional VR to find the bug based on what they described, and then write an exploit.
1 reply 0 retweets 0 likes -
That's not an overnight thing in this case. If you have the skills to do this, you have the skills to find other 0day.
1 reply 0 retweets 0 likes -
Replying to @benhawkes @revskills
indeed but you make it a LOT easier for them.
1 reply 0 retweets 0 likes -
Replying to @hsultan75 @revskills
Can you list any potential positive upsides of doing a disclosure like this? Or do you only see downsides?
1 reply 0 retweets 0 likes -
You have to assess the overall balance of increased risk of opportunistic harms versus other positive effects.
3 replies 0 retweets 0 likes -
Different people have different models to measure all of this, and thus arrive at vastly different conclusions.
1 reply 0 retweets 0 likes
It doesn't mean anyone is acting with malice - trust me on this,
-
-
Replying to @benhawkes @revskills
don't know why but fact is that many in the industry have a pretty bad taste on the mouth left from your actions
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.