Re: Re: Full Disclosure != Exploit Release

[Blue Boar <BlueBoar () thievco com>]

Paul Schmehl wrote:
> I've read this mantra over and over again in these discussions, and a
> question occurs to me.  Can anyone provide a *documented* case where a
> vendor refused to produce a patch **having been properly notified of a
> vulnerability** until exploit code was released?

It might not meet your exact criteria, but here's one I recall:

On Win9x, if you share out a printer, it creates a printer$ share which 
points to your system directory (read-only, of course.)  The purpose is so 
that other Win9x boxes can auto-download drivers when they connect to the 
share.  It was pointed out to Microsoft that there is potentially all kinds 
of interesting info that can be had by an attacker.  Microsoft decided it 
wasn't important to fix.

A bit after this was under public discussion, I attended the first 
NTBugtraq conference/party thingy.  A couple of the Microsoft security guys 
were there, and we got to discussing it.  I asked if they planned to fix 
it, they said no.  They said there's nothing exploitable.  I pointed out 
that I could go through the system directory and determine things like 
exact patch levels, software installed, etc... They said they didn't think 
it was important enough.  The fix would have been to create another 
directory for printer drivers, and share that out instead.

The MS security guys basically said that if someone could demonstrate a 
significant problem, they'd take another look at it.  In other words, show 
them an exploit, or they wouldn't fix it.  Everyone knew it was risky, and 
just waiting  for someone to come up with an interesting use for the hole. 
 It was never patched (AFAIK), and that was several years ago.

                                        BB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html