RE: Re: Full Disclosure != Exploit Release

[John.Airey () rnib org uk]

> -----Original Message-----
> From: Blue Boar [mailto:BlueBoar () thievco com]
> Sent: 29 January 2003 21:20
> To: Paul Schmehl
> Cc: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Re: Full Disclosure != Exploit Release
>
>
> Paul Schmehl wrote:
> > I've read this mantra over and over again in these 
> discussions, and a
> > question occurs to me.  Can anyone provide a *documented* 
> case where a
> > vendor refused to produce a patch **having been properly 
> notified of a
> > vulnerability** until exploit code was released?
>
> It might not meet your exact criteria, but here's one I recall:
>
> On Win9x, if you share out a printer, it creates a printer$ 
> share which 
> points to your system directory (read-only, of course.)  The 
> purpose is so 
> that other Win9x boxes can auto-download drivers when they 
> connect to the 
> share.  It was pointed out to Microsoft that there is 
> potentially all kinds 
> of interesting info that can be had by an attacker.  
> Microsoft decided it 
> wasn't important to fix.
>
> A bit after this was under public discussion, I attended the first 
> NTBugtraq conference/party thingy.  A couple of the Microsoft 
> security guys 
> were there, and we got to discussing it.  I asked if they 
> planned to fix 
> it, they said no.  They said there's nothing exploitable.  I 
> pointed out 
> that I could go through the system directory and determine 
> things like 
> exact patch levels, software installed, etc... They said they 
> didn't think 
> it was important enough.  The fix would have been to create another 
> directory for printer drivers, and share that out instead.
>
> The MS security guys basically said that if someone could 
> demonstrate a 
> significant problem, they'd take another look at it.  In 
> other words, show 
> them an exploit, or they wouldn't fix it.  Everyone knew it 
> was risky, and 
> just waiting  for someone to come up with an interesting use 
> for the hole. 
>   It was never patched (AFAIK), and that was several years ago.
>
>                                       BB

On a related note, at the Infosec show 2000 in London I asked the Microsoft
representative in a public forum on security whether they would be fixing a
specific bug. The question was whether they would fix the Lan Manager hash
for encryption on Windows 95 and 98 machines that make it easy to crack
passwords. The response was astonishing. He said that this was 16bit code,
and they wouldn't be fixing it as they are concentrating on supporting 32bit
code.

Lots of businesses use Windows 95 and 98 machines without being aware how
utterly insecure they are. When a vendor is publicly asked about fixing a
known bug and the response is that we know about the bug but aren't fixing
it (even though the affected product is still supposedly supported), what is
a user supposed to do? 

Exploit code has its place in waking vendors up to issues. In the above case
, you can buy a password cracker that makes use of this bug.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk 

Nearly everything we believe is second hand. For example, less than 500
people have seen the Earth from space, yet the majority of people believe it
is round (OK pedants, an oblate sphere).

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html