Full Disclosure mailing list archives
Re: Multiple Vulnerabilities found in Microsoft .Net Passport Services
From: Valdis.Kletnieks () vt edu
Date: Sat, 10 May 2003 01:02:49 -0400
On Thu, 08 May 2003 18:57:04 +1000, Steven Evans said:
Please, can you wait until microsoft fixes your 'vulnerabilities' before you post.
Well.. it's interesting.. Vulnerability number 2 (password reset) was apparently closed down within an hour once it hit full-disclosure. Mind you, that's after the guys at Microsoft had been given 3 weeks - and it's been admitted that the hole was there at least since Sept 2002, even though it shouldn't have passed a code review (and they DID tell the FTC they'd tighten up security, and "change a password" would seem to be where you'd START auditing your code, right? ;) Probably why they're facing a potential $2.2 trillion in fines. ;) http://www.washingtonpost.com/wp-dyn/articles/A30330-2003May8.html In any case, Muhammed Faisal Rauf Danka posted vulnerability number 2:
From: Muhammad Faisal Rauf Danka <mfrd () attitudex com> Date: Wed, 07 May 2003 19:50:51 -0700 (PDT) (22:50 EDT)
It hit the mainstream no more than 5 hours later (and the problem functions disabled already):
From: Michael J McCafferty <mike () m5computersecurity com> Date: Thu, 08 May 2003 00:52:32 -0700 (03:52 EDT) Well, there ya go it's hit the mainstream press.... http://news.com.com/2100-1002_3-1000429.html?tag=lh The story mentions that MS has turned off all password reset functionality by now.
So finally, Qazi posts..
Date: Thu, 08 May 2003 11:36:37 +0500 From: Qazi Ahmed <qa () pakcert org> Subject: [Full-disclosure] Multiple Vulnerabilities found in Microsoft .Net Passport Services
After adjusting for timezones, this is only 15 minutes before McCafferty posted that *everybody* knew - and I doubt that Microsoft turned it off, news.com found out it was disabled and got a web page up saying that, and then McCafferty posted here that news.com had the page, all in 15 minutes. So I'm not at all sure what you're complaining about regarding the timing.
Attachment:
_bin
Description:
Current thread:
- RE: Multiple Vulnerabilities found in Microsoft .Net Passport Services Steven Evans (May 09)
- Re: Multiple Vulnerabilities found in Microsoft .Net Passport Services Valdis . Kletnieks (May 09)