Full Disclosure mailing list archives

Re: Multiple Vulnerabilities found in Microsoft .Net Passport Services

From: Valdis.Kletnieks () vt edu
Date: Sat, 10 May 2003 01:02:49 -0400

On Thu, 08 May 2003 18:57:04 +1000, Steven Evans said:

Please, can you wait until microsoft fixes your 'vulnerabilities' before you
post.


Well.. it's interesting.. Vulnerability number 2 (password reset) was
apparently closed down within an hour once it hit full-disclosure.  Mind you,
that's after the guys at Microsoft had been given 3 weeks - and it's been
admitted that the hole was there at least since Sept 2002, even though it
shouldn't have passed a code review (and they DID tell the FTC they'd tighten
up security, and "change a password" would seem to be where you'd START
auditing your code, right? ;)

Probably why they're facing a potential $2.2 trillion in fines. ;)

http://www.washingtonpost.com/wp-dyn/articles/A30330-2003May8.html

In any case, Muhammed Faisal Rauf Danka posted vulnerability number 2:

From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Wed, 07 May 2003 19:50:51 -0700 (PDT) (22:50 EDT)


It hit the mainstream no more than 5 hours later (and the problem functions
disabled already):

From: Michael J McCafferty <mike () m5computersecurity com>
Date: Thu, 08 May 2003 00:52:32 -0700 (03:52 EDT)

Well, there ya go it's hit the mainstream press....
http://news.com.com/2100-1002_3-1000429.html?tag=lh

The story mentions that MS has turned off all password reset functionality 
by now.


So finally, Qazi posts..

Date: Thu, 08 May 2003 11:36:37 +0500
From: Qazi Ahmed <qa () pakcert org>
Subject: [Full-disclosure] Multiple Vulnerabilities found in Microsoft .Net  Passport Services


After adjusting for timezones, this is only 15 minutes before McCafferty
posted that *everybody* knew - and I doubt that Microsoft turned it off,
news.com found out it was disabled and got a web page up saying that, and then
McCafferty posted here that news.com had the page, all in 15 minutes.

So I'm not at all sure what you're complaining about regarding the timing.

Attachment: _bin
Description:

Current thread:

RE: Multiple Vulnerabilities found in Microsoft .Net Passport Services Steven Evans (May 09)
- Re: Multiple Vulnerabilities found in Microsoft .Net Passport Services Valdis . Kletnieks (May 09)