Full Disclosure mailing list archives

Re: Bill Gates blames the victim

From: Paul Schmehl <pauls () utdallas edu>
Date: Sun, 31 Aug 2003 11:16:32 -0500

--On Sunday, August 31, 2003 12:31:03 -0300 pandora () swi com br wrote:


And what about the flaws MS probably found during the code audit and that
were never published? I would like to see MS releasing patches/fixes for
flaws they found during these audits. Or did they find none?

The only thing we know for certain is that they didn't find them all. Thatpoint has been driven home decisively by Blaster and Nachi.

During the launch of Windows XP, Microsoft announced that they had"eliminated" buffer overflows in Windows XP (using a commercial tool thatthey had purchased.) One month later eEye announced what I still believeto be the most devastating hole in Windows, the UPnP vulnerability. Ithasn't been exploited like RPC DCOM has, but it's an even more seriousvulnerabilty.

How many more are lying around waiting to be exploited? It's obvious thatMicrosoft doesn't know.


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Bill Gates blames the victim Richard M. Smith (Aug 31)
- Re: Bill Gates blames the victim B.K. DeLong (Aug 31)
- Re: Bill Gates blames the victim pandora (Aug 31)
  - Re: Bill Gates blames the victim Paul Schmehl (Aug 31)
- Re: Bill Gates blames the victim Florian Weimer (Aug 31)
  - Re: Bill Gates blames the victim Peter Busser (Aug 31)