Full Disclosure mailing list archives
Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? )
From: jamie fisher <contact_jamie_fisher () yahoo co uk>
Date: Mon, 8 Nov 2004 14:48:09 +0000 (GMT)
Can a company sue a person, for publishing irresponsible sec. ...
Don't know; Internet law is still very unclear in so many areas.
I found a shitty security issue in CyberGuard Firewall/Proxy some time ago; they were pretty upset about it. Went to the top as far as I understand it, to Paul Henry. In any case, they asked me to issue a retraction statement saying the security issue was false. I _did_ get the feeling the lawyers would come out of the woodwork but I ignored them and they finally went away. I'd say it was a pretty close shave. Below is the retraction statement they asked me to issue: To Whom It May Concern: 28 January 2004 In reference to the vulnerability posting that I raised on Bugtraq on 18th December 2003, relating to CyberGuard firewall/VPN products, I now request that your site remove the entry as it has been proven to be false. CyberGuard have issued the following public statement: CyberGuard firewalls have zero vulnerabilities. Security Tracker agrees to remove erroneous 'vulnerability' message posting. After further investigation and research into the message posted to the Bugtraq security mailing list on December 18th, 2003 and as reported on http://securitytracker.com/alerts/2003/Dec/1008526.html and other security web sites, CyberGuard has determined that the information in the post is indeed false. While the party failed to test and validate the above XSS hole as reported in the above post, we will shed further light on this supposed "vulnerability." The above poster assumes that a XSS hole would provide a miscreant to privileged user credentials by collecting password/username information from the browser information of a CyberGuard administrator desktop machine. CyberGuard uses Tarantella (a java applet) to administer a firewall via HTTPS - we DO NOT store user credentials in the browser. Consequently, there is no privileged data that can be compromised and no vulnerability whatsoever. " Security Tracker agrees with this assessment and will remove the report from its database. We are also working with other security sites that list Security Tracker reports to make sure the CyberGuard "vulnerability" is removed as soon as possible. I confirm that I now request that your site remove the entry as it has been proven to be incorrect. Please inform me when this action has been completed. Jamie Fisher For completeness, the XSS is as follows: alert('test')http://domain.tld> CyberGuard make decent firewalls; the manner in which they manage their response to security vulnerbilities is poor. bipin gautam <visitbipin () yahoo com> wrote: huh! Reviewing all the latest IE advisories, i believe they are in a way attacking M$. So that its coutomers are forced to choose another browser... due to the security risks involved. I will rate it as a birth of "E" - GORILLA WAR stratigy? (o; of the minorities. Can a company sue a person, for publishing irresponsible sec. advisories as such? No offence. I just wanna know your views. Afterall, the haxor is reverse engineering the software. I don't know if M$ will ever fire a case against such ppl. in future with a propaganda, TO PROTECT ITS USERS? have your say? bipin gautam --- Berend-Jan Wever wrote:
Hi all, In response to statements found at
http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the company said in the statement. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed." About "responsible disclosure": The origional vulnerability was found and disclosed by ned. As far as I know, ned only knew he had found something that crashed MSIE: a bug. Microsofts concerns would suggest two options: 1) They expect everybody who finds a bug to investigate the issue and act according to the impact the problem might have on security. I do not think this is likely to happen unless everybody is required to be a 1337 ubergeek before they are allowed to use MS software. It's a nice goal to aim for, but not very realistic. 2) You can not talk about your software crashing, ever, unless it's to the vendor: You might have stumbled upon a vulnerability and if a malicous attacker hears about it, he might use it. About "commonly accepted practice of reporting vulnerabilities directly to a vendor": When did they arrest all the black-hats ? About "no exposure to malicious attackers while the patch is being developed": Allthough I believe in responsible disclosure of vulnerabilities, it DOES NOT prevent malicious attackers to discover and exploit the same vulnerability while a patch is being developed. Resonsible disclosure decreases the chance of somebody hacking your system while you are vulnerable, it doesn't make it zero. Anybody who understands basic bufferoverflow techniques will be able to write an exploit for this vulnerability. I did it in a few minutes, so how hard can it be ? I do not feel I disclosed anything new, I just saved a lot of people the trouble of writing it themselves. The vulnerability has been rated "extremely critical" since I released the exploit. I say it was allready "extremely critical" before ned disclosed his information, only nobody knew it was there. It was "extremely critical" when ned did, but only a few could grasp that. Then I explained it was an easy to exploit bufferoverflow, it still did not get much attention. Writing the exploit hasn't changed the flaw or it's impact, it just attracked the right amount of attention to the problem. Cheers, SkyLined _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
__________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html --------------------------------- ALL-NEW Yahoo! Messenger - all new features - even more fun!
Current thread:
- MSIE src&name property disclosure Berend-Jan Wever (Nov 08)
- Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? ) bipin gautam (Nov 08)
- Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? ) kf_lists (Nov 08)
- Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? ) jamie fisher (Nov 08)
- CyberGuard and their desired retraction (was Re:MSIE src&name property disclosure) security curmudgeon (Nov 11)
- Re: MSIE src&name property disclosure Michal Zalewski (Nov 08)
- Re: MSIE src&name property disclosure Dave Aitel (Nov 08)
- Re: MSIE src&name property disclosure Gadi Evron (Nov 08)
- RE: MSIE src&name property disclosure joe (Nov 15)
- Re: MSIE src&name property disclosure Dave Aitel (Nov 15)
- RE: MSIE src&name property disclosure joe (Nov 15)
- Re: MSIE src&name property disclosure Dave Aitel (Nov 15)
- Re: MSIE src&name property disclosure Micheal Espinola Jr (Nov 15)
- Re: MSIE src&name property disclosure Dave Aitel (Nov 08)
- Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? ) bipin gautam (Nov 08)