Michael Sutton Quotes (12 Quotes)

The vulnerability still exists in Internet Explorer in that it's very lenient in how it pulls CSS, but right now nobody is publishing a way that it can be leveraged to do something useful. That's not to say that somebody won't find a way. I'm sure somebody will come up with a creative way to leverage it to do something evil.

Even though Windows Media Player is not something generally used to render images, it has the capability of doing that. It's not difficult to create a Web page that uses Windows Media Player to display an image instead of the default application. I think it's a ripe target for exploitation if we see public exploit code for it.

We applaud Compass Group North America for its leadership. Its commitment, and a similar decision by major food retailer Wal-Mart, is a significant step toward transformation of the seafood market in ways that support sustainable fisheries and healthy ocean ecosystems.

The only model that makes no sense to me is the altruistic model. The vendor wants the researcher to do his code review for free and that doesn't quite fly. They are profiting from the vulnerability information but they don't want to pay for it.

The nice thing is that a third party that has nothing to do with the VCP is deciding what the criticality is. We're still signing the contract with the researcher and we're still paying the fee for the specific contributor, but we're saying that if it results in a critical bulletin, there's a 10,000 bonus on the table.

Ocean Champions has the potential to be one of the most transformative things we've ever done in the whole conservation movement.

Many of our most valuable contributors consistently identify significant vulnerabilities that may never make the front page, but both avert major exploitation and secure considerable compensation through our rewards program.

The attraction is that we are not bogged down in tremendous bureaucracies and processes that make it difficult to get the transactions done.

This is relatively easy to exploit. It takes some degree of social engineering -- the attacker would have to draw people to a malicious Web site -- but after that, there's no further intervention required. An attacker could leverage this to write to a file on the hard drive. And once you can write to a person's machine, you have full control.

There is some irony there.

It seems like there is some flaky code in portions of the libraries that handle the WMF files. It wouldn't surprise me if we see more vulnerabilities emerge, which I am sure will be followed by more media coverage.

We're not aware of any public exploit code for it at this time.