Re: oooh, isc2 gets p0wned

[Dave Aitel <dave () immunitysec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

H D Moore wrote:

| On Sunday 06 June 2004 09:41, Dave Aitel wrote:
|
|> One thing I've been thinking about is that you don't see the
|> OISAFTEY people in the news nearly as much anymore. I'm hoping
|> this means that it's lost all momentum
|
|
| If only they would just go away....
|
http://finance.lycos.com/qc/news/story.aspx?symbols=NYSE:NET&story=200405251425_BWR__BW5568
|
|
| The Microsoft Security Response team started quoting OIS guidelines
| to me the last time I tried to report a bug to them. The ensuing
| discussion was informative as to how they perceive independent
| researchers and the "community" as whole. The short version is that
| my reasons for having to accelerate the patch release (due to
| public traffic logs of the discovery) were irrelevant, and the only
| way I would get my "credit" would be to sit on my hands and wait
| for them to get around to fixing it.

I'm confused as to what actually happened here. It could be my general
confused nature and lack of reading comprehension skills, but let me
reiterate, just to see if I have it correctly...youreported a Wins.exe
bug to Microsoft (the stack overflow 04-006). Then they asked you to
wait until they felt like it to issue an advisory. Then you said you
wanted them to release an advisory more quickly, since you had "public
traffic logs of the discovery" (??). Then they said no, and if you
release early, reminded you that their policy is to only give credit
to people who do whatever they tell them to, which in this case
involved not saying anything.


| The fact that I really didn't care never made it across.

Care about what? Maybe you should post the emails themselves, cause
I'm really confused at this point.

| The end result was that after five months of the code being
| available,

The code for a wins.exe overflow which gets remote root, right?

| they posted an inaccurate advisory that didn't include the real
| possibility of code execution.

Standard practice for any company is to assume it's not exploitable if
there's any possibility at all that it's not exploitable.

| Qualys was given credit for reporting a similar vulnerability and
| only a handful of people are aware of just how easy it is to
| exploit the WINS overflow on Windows 2000....
|
So there's two vulnerabilities in Wins.exe fixed by MS 04-006 and only
one of them was reported in the advisory, and you didn't bother to
tell anyone about your discovery, so no one knows you found the other
one, although it was easier to exploit than the one Qualys found?

- -dave



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAw49tzOrqAtg8JS8RAsTnAKDH0xy9jRW1vf5e3BHiEeBjim5uxgCdEHMX
sFCWdDwp1Db2baDp+r0tiJs=
=PpwK
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave