Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Microsoft MCWNDX.OCX ActiveX buffer overflow

From: "Drew Copley" <dcopley () eeye com>
Date: Fri, 15 Aug 2003 16:43:02 -0700



-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Matthew Murphy
Sent: Friday, August 15, 2003 3:50 PM
To: Full Disclosure
Subject: Re: [Full-disclosure] Microsoft MCWNDX.OCX ActiveX 
buffer overflow


"Georgi Guninski" <guninski () guninski com> writes:

So you are collecting 0days for free, put them in a lame 

database and
whine more

than a script kiddie this is a hard job?


You have absolutely no point here, Georgi.  The CVE for one 
is hardly a database -- it is more or less a list of lists of 
references on various vulnerabilities that are submitted *to* 
CVE (i.e, not every vulnerability that David Ahmad finds in 
project changelogs somewhere).  I don't think you'll have any 
support for calling CVE "lame".  CVE has been a solution to 
the problem of multiple and confusing names for 
vulnerabilities.  Simply looking at the anti-virus industry's 
constant "name game" when it comes to viruseses, such as its 
many different names for "Blaster" (aka W32-Blaster-A, 
Win32/Blaster, Win32.Blaster.worm, Win32/Poza.A, 
Win32/LovSan.worm, ...), will show you the problem that CVE 
has helped to eliminate.

I've yet to see Steve "whine" -- he has never voiced a 
complaint without presenting a valid point, backed up by very 
good research, and usually provides solutions where possible. 
 The point that CVE is "collecting 0days" is also completely 
inaccurate.  Usually, when CVE assigns an identifier to a 
vulnerability without publicly disclosed details, one of two 
things happen. Either CVE assigns a pool of IDs to the vendor 
to assign as issues are reported, or the vendor requests a 
candidate assignment to CVE on a per-issue basis.  Sometimes, 
a combination of both occurs.  Obviously, when the former 
strategy is chosen, details are not revealed to CVE until the 
formal announcement is made, and my experience suggests that 
this is true in the latter case as well.

Additionally, Steve's point was that inaccurate advisories 
slow CVE's response -- he never said that CVE maintenance was 
a "hard job".  Even so, it probably is -- that just means 
that Steve's not a complainer. :-)


It is apparently underfunded. They do have a generally slow response to
many issues. As someone that often deals with these databases, I have
noticed that numerous, well proven flaws remain in the candidacy stage
-- with no good reason whatsoever. But, it is free, to me, so I am not
complaining. 

Securityfocus and their bid system tends to be quite a bit more useful
in daily research. (Surely, greatly more useful than the CVE
"candidates" which often have little or pointless references, and rarely
ever a reference to the actual information - aka, bugtraq post - which
propelled the creation of the bug in the first place.

Now, this said, such statements should not be seen as a "complaint",
rather as useful criticism.

:)





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: