Full Disclosure mailing list archives
[Full-Disclosure] RE: Full-disclosure] Software Company Files Suit Over Vulnerability Disclosure
From: "Steve W. Manzuik" <steve () entrenchtech com>
Date: Sun, 29 Dec 2002 19:10:51 -0700
Surprising that this hits the press now. I know another online news source was looking at reporting on this quite some time ago and decided not to. But, I do have a few comments on this one. Autoprof published the following "whitepaper" - http://www.autoprof.com/pdf/PM_Scriptlogic_Comparison.pdf that on page 8 outlines the following "security vulnerabilities" "The first problem allows network users administrative access to the local Windows registry. The second problem allows network users to become administrators of all domain machines that have previously run the ScriptLogic 4 RunAdmin client service. The third problem grants all users (the "Everyone Group" by default) full access to a network-shared folder on a ScriptLogic 4 domain controller." All of these vulnerabilities are caused by one thing and one thing only -- poor permissions. The fact that Autoprof feels that these issues are serious enough to warrant a complete whitepaper on it is almost as ludicrous as ScriptLogic invoking the lawyers and suing Autoprof. What we have here are two vendors tossing their dicks on the table to see who has the longest one. Meanwhile they will waste money and time all while passing the costs off to their end users (does anyone actually use either of these products?). For those who do feel that this is a serious issue here are some quick fixes that are part of "Securing NT/2000 101" Don't use the everyone group Don't let services run as system unless required Lock down file permissions as needed Lock down registry permissions as needed Monitor internal network traffic Manage workstation builds Seriously, if someone who is on your internal network wants to own you there are far more serious and more effective things that they could do. That being said, Scriptlogic could easily fix these problems and make the whole thing go away. The hour of development timted would take is far cheaper than the lawyers. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] RE: Full-disclosure] Software Company Files Suit Over Vulnerability Disclosure Steve W. Manzuik (Dec 29)