Re: Microsoft JET/Office Vulnerability Exploit

[Russ.Cooper () RC ON CA (Russ)]

-----BEGIN PGP SIGNED MESSAGE-----

> Well it seems some people still believe in security through
> obscurity. Three weeks after the vulnerability was announced
> the people with the knowledge of the details have not
> disclosed further information (hi Russ).

Hi Elias. Why did you release this today? You say its been in your
vulnerability database since 7/29, yet no message was ever sent to
Bugtraq about it. Were you, like me, withholding details until a fix?

> Now that same people are asking whether the information should
> be disclosed at all (and trying to get some nice publicity out
> of it).

"some nice publicity"?? Give me a break, I want to ensure that the
thing is as widely published as possible so everyone can realize they
need to get a fix. Why didn't you do the same? Oh, I forgot, that's
not Bugtraq's job.

> Well guess what? An exploit is been around for quite a while now.
> We've had an exploit in the SF vulnerability database for some
> time now. We refer to this vulnerability as BUGTRAQ-ID 548
> "Microsoft JET ODBC Vulnerability".

Again, had it for some time yet never published its existence. Or did
you just let a select few know about it?

> Now without knowing the full details of the vulnerability we
> can only guess that this exploit exercises the same
> vulnerability. Maybe the people in the known will enlighten
> us?

Well, with the module password protected it seems clear you're not out
to get that critique very quickly. Maybe if you'd let someone know the
details we'd be able to answer you. As it is, we're simply left with
what appears to be the same exploit.

> Now what does this teach us? That trying to keep the details
> of a vulnerability secret while at the same time announcing
> it existence does not work. If you are going to announce a
> vulnerability, provide all the details. Otherwise keep the
> vulnerability to yourself.

Um, Elias, you announced the vulnerability on Bugtraq on the same day
I announced it on NTBugtraq...then you received the exploit details
sometime after that...then you kept those details private both by not
announcing the availability of the exploit code to Bugtraq **and** by
making the exploit code readily unavailable by password protecting it.

Who's calling the kettle black here?

> BUGTRAQ and Security Focus will always be committed to
> full disclosure. Your mileage may vary with others.

And all power to you, but you should at least try and abide by your
own definition of what full disclosure means. You got the exploit code
and didn't tell your list?? You release it but don't let anyone see
how it works?? Which part of this is "full disclosure" and which part
is an attempt to prevent NTBugtraq from receiving what you call "some
nice publicity"??

Your message has simply stated that you are willing to compromise your
own goals and values to ensure NTBugtraq doesn't get publicity on
something that Bugtraq can. I personally don't care if NTBugtraq gets
mentioned anywhere in this story, as long as the public is alert and
made aware of the threat of exploit.

Since I've never seen Bugtraq quoted in the main-stream media, I sorta
thought you all were useless at that sort of thing. Maybe I'm
wrong...we'll see I guess.

If, however, SecurityFocus can find some other way to pummel me and
NTBugtraq, please do so, I doubt the public needs this sort of angst.

Cheers,
Russ - NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQCVAwUBN7svExBh2Kw/l7p5AQEtWwQAsGbbJErb5D/XMGCXbiQFHHv8wbsC0qG8
MImI38qQghNQbQtXyTvHMJvgTF3D85R/l5yJ3WfSQ1F39fL4lb9YlowyxfS6vZlk
Pvdrd37tRpci1FP9+3fMovZhTB4JL3YWgZW4pId3ewCsDB74N5KUBTNjX54SSwWz
eDdSOy47llI=
=6r6u
-----END PGP SIGNATURE-----