Full Disclosure mailing list archives
RE: Re: Full Disclosure != Exploit Release
From: hellNbak <hellnbak () nmrc org>
Date: Thu, 30 Jan 2003 08:43:30 -0600 (CST)
While I agree that they should be fixing their problems, are there not a ton of mitigating factors to lower the risk? In reality, if you get physical access to any box you an own it -- no matter what O/S it is... On Thu, 30 Jan 2003 John.Airey () rnib org uk wrote:
Date: Thu, 30 Jan 2003 11:31:36 -0000 From: John.Airey () rnib org uk To: BlueBoar () thievco com, pauls () utdallas edu Cc: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Re: Full Disclosure != Exploit Release-----Original Message----- From: Blue Boar [mailto:BlueBoar () thievco com] Sent: 29 January 2003 21:20 To: Paul Schmehl Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Re: Full Disclosure != Exploit Release Paul Schmehl wrote:I've read this mantra over and over again in thesediscussions, and aquestion occurs to me. Can anyone provide a *documented*case where avendor refused to produce a patch **having been properlynotified of avulnerability** until exploit code was released?It might not meet your exact criteria, but here's one I recall: On Win9x, if you share out a printer, it creates a printer$ share which points to your system directory (read-only, of course.) The purpose is so that other Win9x boxes can auto-download drivers when they connect to the share. It was pointed out to Microsoft that there is potentially all kinds of interesting info that can be had by an attacker. Microsoft decided it wasn't important to fix. A bit after this was under public discussion, I attended the first NTBugtraq conference/party thingy. A couple of the Microsoft security guys were there, and we got to discussing it. I asked if they planned to fix it, they said no. They said there's nothing exploitable. I pointed out that I could go through the system directory and determine things like exact patch levels, software installed, etc... They said they didn't think it was important enough. The fix would have been to create another directory for printer drivers, and share that out instead. The MS security guys basically said that if someone could demonstrate a significant problem, they'd take another look at it. In other words, show them an exploit, or they wouldn't fix it. Everyone knew it was risky, and just waiting for someone to come up with an interesting use for the hole. It was never patched (AFAIK), and that was several years ago. BBOn a related note, at the Infosec show 2000 in London I asked the Microsoft representative in a public forum on security whether they would be fixing a specific bug. The question was whether they would fix the Lan Manager hash for encryption on Windows 95 and 98 machines that make it easy to crack passwords. The response was astonishing. He said that this was 16bit code, and they wouldn't be fixing it as they are concentrating on supporting 32bit code. Lots of businesses use Windows 95 and 98 machines without being aware how utterly insecure they are. When a vendor is publicly asked about fixing a known bug and the response is that we know about the bug but aren't fixing it (even though the affected product is still supposedly supported), what is a user supposed to do? Exploit code has its place in waking vendors up to issues. In the above case , you can buy a password cracker that makes use of this bug. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (OK pedants, an oblate sphere). - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak () nmrc org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Full Disclosure != Exploit Release http-equiv () excite com (Jan 29)
- <Possible follow-ups>
- RE: Re: Full Disclosure != Exploit Release John . Airey (Jan 30)
- RE: Re: Full Disclosure != Exploit Release hellNbak (Jan 30)