Dailydave mailing list archives
Re: oooh, isc2 gets p0wned
From: Dave Aitel <dave () immunitysec com>
Date: Sun, 06 Jun 2004 17:41:01 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 H D Moore wrote: | On Sunday 06 June 2004 09:41, Dave Aitel wrote: | |> One thing I've been thinking about is that you don't see the |> OISAFTEY people in the news nearly as much anymore. I'm hoping |> this means that it's lost all momentum | | | If only they would just go away.... | http://finance.lycos.com/qc/news/story.aspx?symbols=NYSE:NET&story=200405251425_BWR__BW5568 | | | The Microsoft Security Response team started quoting OIS guidelines | to me the last time I tried to report a bug to them. The ensuing | discussion was informative as to how they perceive independent | researchers and the "community" as whole. The short version is that | my reasons for having to accelerate the patch release (due to | public traffic logs of the discovery) were irrelevant, and the only | way I would get my "credit" would be to sit on my hands and wait | for them to get around to fixing it. I'm confused as to what actually happened here. It could be my general confused nature and lack of reading comprehension skills, but let me reiterate, just to see if I have it correctly...youreported a Wins.exe bug to Microsoft (the stack overflow 04-006). Then they asked you to wait until they felt like it to issue an advisory. Then you said you wanted them to release an advisory more quickly, since you had "public traffic logs of the discovery" (??). Then they said no, and if you release early, reminded you that their policy is to only give credit to people who do whatever they tell them to, which in this case involved not saying anything. | The fact that I really didn't care never made it across. Care about what? Maybe you should post the emails themselves, cause I'm really confused at this point. | The end result was that after five months of the code being | available, The code for a wins.exe overflow which gets remote root, right? | they posted an inaccurate advisory that didn't include the real | possibility of code execution. Standard practice for any company is to assume it's not exploitable if there's any possibility at all that it's not exploitable. | Qualys was given credit for reporting a similar vulnerability and | only a handful of people are aware of just how easy it is to | exploit the WINS overflow on Windows 2000.... | So there's two vulnerabilities in Wins.exe fixed by MS 04-006 and only one of them was reported in the advisory, and you didn't bother to tell anyone about your discovery, so no one knows you found the other one, although it was easier to exploit than the one Qualys found? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAw49tzOrqAtg8JS8RAsTnAKDH0xy9jRW1vf5e3BHiEeBjim5uxgCdEHMX sFCWdDwp1Db2baDp+r0tiJs= =PpwK -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned H D Moore (Jun 06)
- Re: oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned H D Moore (Jun 06)
- Re: oooh, isc2 gets p0wned ned (Jun 07)
- Re: oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned Halvar Flake (Jun 06)
- Re: oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned H D Moore (Jun 06)
- <Possible follow-ups>
- RE: oooh, isc2 gets p0wned Thor Larholm (Jun 07)