Dailydave mailing list archives
Re: [sr] Wins investigation for MS04-006
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Fri, 11 Jun 2004 14:25:10 -0500
On Friday 11 June 2004 14:05, you wrote:
You did work with us on this investigation, and if you would like to have co-credit for this issue, then I'm more than happy to add you to the security bulletin.
I am sorry it was interpreted that way, I actually couldn't care less about the credit, the only reason I brought up the WINS issue was the mention of OIS (which was relevent to the current topic on the mailing list). The point I was trying to make was that vendors are pushing to get security researchers to use the OIS guidelines for vulnerability reporting. The "work with us, or get no credit" stance has also been a long-running theme with Microsoft security, personally I have run across it about three times now (going back to 1998 or so). With regards to HITB, I do feel that they were pressured by Microsoft into not releasing their advisory, however since they have made no official response...
I can mention as well that we are aware of other recent reports of another WINS issue, is it possible that this is the issue that you had found originally?
It could be, but I have not checked and have no interest in persuing it. I am aware of alternate exploits that were resolved by the same patch, these seem to be based off the same issue that I ran across here. Maybe someone else on the DD list would like to speak up about their exploit code :) -HD ---------- Forwarded Message ---------- Subject: [sr] Wins investigation for MS04-006 Date: Friday 11 June 2004 14:05 From: "Microsoft Security Response Center" <secure () microsoft com> To: "H D Moore" <hdm () digitaloffense net> Cc: "Microsoft Security Response Center" <secure () microsoft com> H.D, I've read your recent postings about the events that took place around MS04-006. I'm sorry you feel that I in some way did not provide you with the level of credit you felt that you deserved relating to this case. It was my understanding that 'the hack in the box folks' owned the credit and release of data for this issue on your side. And at no other time did you mention credit in the bulletin or provide preferred credit details. If I was mistaken, then I would like to apologize and I would like to try to correct it. You did work with us on this investigation, and if you would like to have co-credit for this issue, then I'm more than happy to add you to the security bulletin. Please let me know if you would like this and which email or web url (but not both) that you would prefer to use. Also, you state that we really did not understand the issue, if you have had more time to work on code relating to this issue and it's still not patched somehow, I'm more than happy to open a new investigation and try to work together again on these points. I can mention as well that we are aware of other recent reports of another WINS issue, is it possible that this is the issue that you had found originally? Best Regards Scott ------------------------------------------------------- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: [sr] Wins investigation for MS04-006 H D Moore (Jun 11)
- <Possible follow-ups>
- Re: [sr] Wins investigation for MS04-006 Nicolas Waisman (Jun 11)