RE: Re: Full Disclosure != Exploit Release

[hellNbak <hellnbak () nmrc org>]

While I agree that they should be fixing their problems, are there not a
ton of mitigating factors to lower the risk?  In reality, if you get
physical access to any box you an own it -- no matter what O/S it is...

On Thu, 30 Jan 2003 John.Airey () rnib org uk wrote:

> Date: Thu, 30 Jan 2003 11:31:36 -0000
> From: John.Airey () rnib org uk
> To: BlueBoar () thievco com, pauls () utdallas edu
> Cc: full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] Re: Full Disclosure != Exploit Release
>
> > -----Original Message-----
> > From: Blue Boar [mailto:BlueBoar () thievco com]
> > Sent: 29 January 2003 21:20
> > To: Paul Schmehl
> > Cc: full-disclosure () lists netsys com
> > Subject: Re: [Full-disclosure] Re: Full Disclosure != Exploit Release
> >
> >
> > Paul Schmehl wrote:
> > > I've read this mantra over and over again in these
> > discussions, and a
> > > question occurs to me.  Can anyone provide a *documented*
> > case where a
> > > vendor refused to produce a patch **having been properly
> > notified of a
> > > vulnerability** until exploit code was released?
> >
> > It might not meet your exact criteria, but here's one I recall:
> >
> > On Win9x, if you share out a printer, it creates a printer$
> > share which
> > points to your system directory (read-only, of course.)  The
> > purpose is so
> > that other Win9x boxes can auto-download drivers when they
> > connect to the
> > share.  It was pointed out to Microsoft that there is
> > potentially all kinds
> > of interesting info that can be had by an attacker.
> > Microsoft decided it
> > wasn't important to fix.
> >
> > A bit after this was under public discussion, I attended the first
> > NTBugtraq conference/party thingy.  A couple of the Microsoft
> > security guys
> > were there, and we got to discussing it.  I asked if they
> > planned to fix
> > it, they said no.  They said there's nothing exploitable.  I
> > pointed out
> > that I could go through the system directory and determine
> > things like
> > exact patch levels, software installed, etc... They said they
> > didn't think
> > it was important enough.  The fix would have been to create another
> > directory for printer drivers, and share that out instead.
> >
> > The MS security guys basically said that if someone could
> > demonstrate a
> > significant problem, they'd take another look at it.  In
> > other words, show
> > them an exploit, or they wouldn't fix it.  Everyone knew it
> > was risky, and
> > just waiting  for someone to come up with an interesting use
> > for the hole.
> >   It was never patched (AFAIK), and that was several years ago.
> >
> >                                     BB
>
> On a related note, at the Infosec show 2000 in London I asked the Microsoft
> representative in a public forum on security whether they would be fixing a
> specific bug. The question was whether they would fix the Lan Manager hash
> for encryption on Windows 95 and 98 machines that make it easy to crack
> passwords. The response was astonishing. He said that this was 16bit code,
> and they wouldn't be fixing it as they are concentrating on supporting 32bit
> code.
>
> Lots of businesses use Windows 95 and 98 machines without being aware how
> utterly insecure they are. When a vendor is publicly asked about fixing a
> known bug and the response is that we know about the bug but aren't fixing
> it (even though the affected product is still supposedly supported), what is
> a user supposed to do?
>
> Exploit code has its place in waking vendors up to issues. In the above case
> , you can buy a password cracker that makes use of this bug.
>
> -
> John Airey, BSc (Jt Hons), CNA, RHCE
> Internet systems support officer, ITCSD, Royal National Institute of the
> Blind,
> Bakewell Road, Peterborough PE2 6XU,
> Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk
>
> Nearly everything we believe is second hand. For example, less than 500
> people have seen the Earth from space, yet the majority of people believe it
> is round (OK pedants, an oblate sphere).
>
> -
>
> NOTICE: The information contained in this email and any attachments is
> confidential and may be legally privileged. If you are not the
> intended recipient you are hereby notified that you must not use,
> disclose, distribute, copy, print or rely on this email's content. If
> you are not the intended recipient, please notify the sender
> immediately and then delete the email and any attachments from your
> system.
>
> RNIB has made strenuous efforts to ensure that emails and any
> attachments generated by its staff are free from viruses. However, it
> cannot accept any responsibility for any viruses which are
> transmitted. We therefore recommend you scan all attachments.
>
> Please note that the statements and views expressed in this email
> and any attachments are those of the author and do not necessarily
> represent those of RNIB.
>
> RNIB Registered Charity Number: 226227
>
> Website: http://www.rnib.org.uk
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html