Full Disclosure mailing list archives
Re: Re: Full Disclosure != Exploit Release
From: Blue Boar <BlueBoar () thievco com>
Date: Wed, 29 Jan 2003 13:20:16 -0800
Paul Schmehl wrote:
I've read this mantra over and over again in these discussions, and a question occurs to me. Can anyone provide a *documented* case where a vendor refused to produce a patch **having been properly notified of a vulnerability** until exploit code was released?
It might not meet your exact criteria, but here's one I recall:On Win9x, if you share out a printer, it creates a printer$ share which points to your system directory (read-only, of course.) The purpose is so that other Win9x boxes can auto-download drivers when they connect to the share. It was pointed out to Microsoft that there is potentially all kinds of interesting info that can be had by an attacker. Microsoft decided it wasn't important to fix.
A bit after this was under public discussion, I attended the first NTBugtraq conference/party thingy. A couple of the Microsoft security guys were there, and we got to discussing it. I asked if they planned to fix it, they said no. They said there's nothing exploitable. I pointed out that I could go through the system directory and determine things like exact patch levels, software installed, etc... They said they didn't think it was important enough. The fix would have been to create another directory for printer drivers, and share that out instead.
The MS security guys basically said that if someone could demonstrate a significant problem, they'd take another look at it. In other words, show them an exploit, or they wouldn't fix it. Everyone knew it was risky, and just waiting for someone to come up with an interesting use for the hole. It was never patched (AFAIK), and that was several years ago.
BB _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release, (continued)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Blue Boar (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Rick Updegrove (security) (Jan 29)
- RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Geo (Jan 29)
- RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release David Howe (Jan 29)
- Re: Full Disclosure != Exploit Release Paul Schmehl (Jan 29)
- Re: Re: Full Disclosure != Exploit Release hellNbak (Jan 29)
- RE: Re: Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
- Re: Re: Full Disclosure != Exploit Release KF (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Blue Boar (Jan 29)
- Re: Full Disclosure != Exploit Release Paul Schmehl (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release ATD (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Ron DuFresne (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Kevin Spett (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Day Jay (Jan 29)