Full Disclosure mailing list archives
Re: Microsoft Cries Wolf ( again )
From: KF <dotslash () snosoft com>
Date: Tue, 01 Jul 2003 16:53:55 +0000
It only takes 30 seconds to type an email saying.... hey thanks for taking the time to let us know... we will get back to you. The no call no show's (not replying to security related emails) are BS for lack of better word. Not even acknowledging an issue is a far cry from trying to work out a fix. Alot of vendors can't even do that without you yanking a few teeth out.
I am also sick of seeing vendors downplay issues by calling them "potential" or "denial of service". as an example... http://archives.neohapsis.com/archives/tru64/2002-q3/0019.html
heres me *potentially exploiting the issue* bash-2.05a$ id uid=201(dotslash) gid=15(users) groups=0(system) bash-2.05a$ ./TRU64_su # id uid=0(root) gid=15(users) groups=15(users),0(system) or http://xforce.iss.net/xforce/xfdb/7157 and http://www.blacksheepnetworks.com/security/hack/linux/squid.cWhat part of me taking a root shell as a local user is a potential issue... and what part of me taking remote uid nobody intails a Denial of service attack... yeah the abuser may have crashed the service while trying to exploit the issue but that hardly qualifies denial of service as the impact of the bug.
As a side note the three letter company I spoke about earlier today has since gone above and beyond at attemting to rectify the communications problem we had earlier. Thanks to those of you that helped out.
-KF dhtml () hush com wrote:
While there is some argument about what makes a vendor un-responsive, patch times in this case are, likely and understandably, quite lengthy. These fixes are not trivial to begin with, thanks in no small part to theincredible number of customers Microsoft has. As if the literally millionsof configurations Microsoft software must support weren't enough, think for a second about the multiple different character sets its code applies to. Even the *DOCUMENTATION* for the patch must be translated into dozens of different languages -- no small task with exploitation looming on the horizon. However, it is obvious that in this case, the reporter did not attempt any contact with Microsoft what-so-ever. ///////// This is not my problem. I DON'T CARE! That's your company and you do with it as you see fit. Whether you want to make 1 million versions of your product in order to grab every possible market share, so be it. You'd better be damn sure that what you make works otherwise if you throw it out there and it breaks, some one has to pay. Why not make one quality product instead of hundreds of flawed ones? That's right! It's your company and you do with it as you see fit!
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Microsoft Cries Wolf ( again ), (continued)
- RE: Microsoft Cries Wolf ( again ) Richard M. Smith (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Mike Fratto (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Cesar (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Brett Hutley (Jul 02)
- RE: Microsoft Cries Wolf ( again ) Richard M. Smith (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Peter van den Heuvel (Jul 01)
- Re: Microsoft Cries Wolf ( again ) mattmurphy () kc rr com (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 01)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 01)
- Re: Microsoft Cries Wolf ( again ) dhtml (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Kristian Hermansen (Jul 01)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Schmehl, Paul L (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Shawn McMahon (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Kristian Hermansen (Jul 06)
- Re: Microsoft Cries Wolf ( again ) gandalf94305 (Jul 06)
- Re: Microsoft Cries Wolf ( again ) mattmurphy () kc rr com (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Karl DeBisschop (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Geoincidents (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Justin Shin (Jul 02)
- Vote with your dollars (Was: Re: Microsoft Cries Wolf ( again )) Peter Busser (Jul 02)
- Re: Microsoft Cries Wolf ( again ) andrewg (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Karl DeBisschop (Jul 01)