Bugtraq mailing list archives
Re: Can we afford full disclosure of security holes?
From: Chris Wolfe <9cw4 () qlink queensu ca>
Date: Fri, 10 Aug 2001 20:20:02 -0400
I assume this complaint is regarding eEye's initial advisory, rather than their later-published analysis of Code Red.
Given the contents of Microsoft's advisory and a decent debugger, identifying and developing an exploit for the overflow is not overly difficult. Potentially time-consuming, but not terrible complicated.
Moreover, unless I am misreading the analyses, the original eEye exploit uses a jump to a header containing a slide to execute code, while RedAlert jumps to the request body via msvcrt. Hardly closely related approaches. I would strongly question the assumption that RedAlert and variants were all based on the code released by eEye.
I would like to thank the folks at eEye for providing full advisories of security issues. As the one responsible for regression testing around here, knowing the actual flaws makes it much easier (i.e. possible).
Chris At 02:39 PM 8/10/01, Richard M. Smith wrote:
[snip] Unlike the eEye advisory, the Microsoft advisory on the IIS security hole shows the right balance. It gives IIS customers enough information about the buffer overflow without giving a recipe to virus writers of how to exploit it. Thanks, Richard M. Smith CTO, Privacy Foundation http://www.privacyfoundation.org
Current thread:
- Can we afford full disclosure of security holes? Richard M. Smith (Aug 10)
- RE: Can we afford full disclosure of security holes? Marc Maiffret (Aug 10)
- Re: Can we afford full disclosure of security holes? Bill Arbaugh (Aug 10)
- Re: Can we afford full disclosure of security holes? Ryan Russell (Aug 10)
- Re: Can we afford full disclosure of security holes? Scott Blake (Aug 10)
- Re: Can we afford full disclosure of security holes? antirez (Aug 10)
- Re: Can we afford full disclosure of security holes? Alun Jones (Aug 10)
- RE: Can we afford full disclosure of security holes? Guy Helmer (Aug 10)
- Re: Can we afford full disclosure of security holes? Chris Wolfe (Aug 10)
- Re: Can we afford full disclosure of security holes? Randy Taylor (Aug 10)
- <Possible follow-ups>
- Re: Can we afford full disclosure of security holes? aleph1 (Aug 10)
- Re: Can we afford full disclosure of security holes? Bill Arbaugh (Aug 10)
- RE: Can we afford full disclosure of security holes? bodzincm (Aug 10)
- RE: Can we afford full disclosure of security holes? Richard M. Smith (Aug 10)