Re: Microsoft JET/Office Vulnerability Exploit

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

On Wed, Aug 18, 1999 at 06:09:23PM -0400, Russ wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> > Well it seems some people still believe in security through
> > obscurity. Three weeks after the vulnerability was announced
> > the people with the knowledge of the details have not
> > disclosed further information (hi Russ).
>
> Hi Elias. Why did you release this today? You say its been in your
> vulnerability database since 7/29, yet no message was ever sent to
> Bugtraq about it. Were you, like me, withholding details until a fix?

Hi Russ,

  Please read the message again. I never state that exploit has
been in our database since 7/29. As a matter of fact we are not
sure when the exact date is that it was entered. As part of
our search for vulnerability information we visit web sites
which is where we found this exploit.

  The person that entered the exploit information did not realize
that the details of this vulnerability were not knonw at the time.
It was not until this morning when I saw your message that I checked
our database and found the exploit myself.

  Hope this clears up any misconceptions you may have.

> "some nice publicity"?? Give me a break, I want to ensure that the
> thing is as widely published as possible so everyone can realize they
> need to get a fix. Why didn't you do the same? Oh, I forgot, that's
> not Bugtraq's job.

  I won't comment on your methods.

> > Well guess what? An exploit is been around for quite a while now.
> > We've had an exploit in the SF vulnerability database for some
> > time now. We refer to this vulnerability as BUGTRAQ-ID 548
> > "Microsoft JET ODBC Vulnerability".
>
> Again, had it for some time yet never published its existence. Or did
> you just let a select few know about it?

  See above.

> > Now without knowing the full details of the vulnerability we
> > can only guess that this exploit exercises the same
> > vulnerability. Maybe the people in the known will enlighten
> > us?
>
> Well, with the module password protected it seems clear you're not out
> to get that critique very quickly. Maybe if you'd let someone know the
> details we'd be able to answer you. As it is, we're simply left with
> what appears to be the same exploit.

  We did not develop the code, otherwise we would share the knowledge.
My point, which you have glossed over, is that the exploit has been
found on the wild. The idea that by keeping the information secret you
have denied the information to people that would use it in malicious ways
is wrong. This is proof of that.

> > Now what does this teach us? That trying to keep the details
> > of a vulnerability secret while at the same time announcing
> > it existence does not work. If you are going to announce a
> > vulnerability, provide all the details. Otherwise keep the
> > vulnerability to yourself.
>
> Um, Elias, you announced the vulnerability on Bugtraq on the same day
> I announced it on NTBugtraq...then you received the exploit details
> sometime after that...then you kept those details private both by not
> announcing the availability of the exploit code to Bugtraq **and** by
> making the exploit code readily unavailable by password protecting it.
>
> Who's calling the kettle black here?

Russ you make several false assumptions. First, as noted in the original
message and above, we did not develop the code. That should have been
obvious. Guess it was not to you. Second, again as noted in the original
message and above do not know the vulnerability details. If we did we
would make them available. We announced the information that Cuartango
and yourself made public. Sorry. You'll have to look elsewhere for a
scapegoat.

> > BUGTRAQ and Security Focus will always be committed to
> > full disclosure. Your mileage may vary with others.
>
> And all power to you, but you should at least try and abide by your
> own definition of what full disclosure means. You got the exploit code
> and didn't tell your list?? You release it but don't let anyone see
> how it works?? Which part of this is "full disclosure" and which part
> is an attempt to prevent NTBugtraq from receiving what you call "some
> nice publicity"??

See above.

> Your message has simply stated that you are willing to compromise your
> own goals and values to ensure NTBugtraq doesn't get publicity on
> something that Bugtraq can. I personally don't care if NTBugtraq gets
> mentioned anywhere in this story, as long as the public is alert and
> made aware of the threat of exploit.
>
> Since I've never seen Bugtraq quoted in the main-stream media, I sorta
> thought you all were useless at that sort of thing. Maybe I'm
> wrong...we'll see I guess.
>
> If, however, SecurityFocus can find some other way to pummel me and
> NTBugtraq, please do so, I doubt the public needs this sort of angst.

Russ, I am sorry to see you feel this way. I don't understand how you
have derived from my message that we want to "ensure NTBugtraq doesn't
get publicity".

I was simply pointing out that your current philosophy does not work.
Your stated purpose of withholding the information from the public so
the bad guys don't get it failed. This seems to be a philosophy that
permeated how NTBUGTRAQ is run.

> Cheers,

Indeed.

> Russ - NTBugtraq Editor
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.0.2
>
> iQCVAwUBN7svExBh2Kw/l7p5AQEtWwQAsGbbJErb5D/XMGCXbiQFHHv8wbsC0qG8
> MImI38qQghNQbQtXyTvHMJvgTF3D85R/l5yJ3WfSQ1F39fL4lb9YlowyxfS6vZlk
> Pvdrd37tRpci1FP9+3fMovZhTB4JL3YWgZW4pId3ewCsDB74N5KUBTNjX54SSwWz
> eDdSOy47llI=
> =6r6u
> -----END PGP SIGNATURE-----

--
Elias Levy
Security Focus
http://www.securityfocus.com/