Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? )

[jamie fisher <contact_jamie_fisher () yahoo co uk>]

Can a company sue a person, for publishing irresponsible sec. ...
 
> >  Don't know; Internet law is still very unclear in so many areas.
 
I found a shitty security issue in CyberGuard Firewall/Proxy some time ago; they were pretty upset about it.  Went to 
the top as far as I understand it, to Paul Henry.
 
In any case, they asked me to issue a retraction statement saying the security issue was false.  I _did_ get the 
feeling the lawyers would come out of the woodwork but I ignored them and they finally went away.  I'd say it was a 
pretty close shave.
 
Below is the retraction statement they asked me to issue:

To Whom It May Concern: 

28 January 2004 

In reference to the vulnerability posting that I raised on Bugtraq on 18th December 2003, relating to CyberGuard 
firewall/VPN products, I now request that your site remove the entry as it has been proven to be false. 

CyberGuard have issued the following public statement: 

CyberGuard firewalls have zero vulnerabilities. Security Tracker agrees to remove erroneous 'vulnerability' message 
posting. 

After further investigation and research into the message posted to the Bugtraq security mailing list on December 18th, 
2003 and as reported on http://securitytracker.com/alerts/2003/Dec/1008526.html and other security web sites, 
CyberGuard has determined that the information in the post is indeed false. While the party failed to test and validate 
the above XSS hole as reported in the above post, we will shed further light on this supposed "vulnerability." 

The above poster assumes that a XSS hole would provide a miscreant to privileged user credentials by collecting 
password/username information from the browser information of a CyberGuard administrator desktop machine. CyberGuard 
uses Tarantella (a java applet) to administer a firewall via HTTPS - we DO NOT store user credentials in the browser. 
Consequently, there is no privileged data that can be compromised and no vulnerability whatsoever. " 

Security Tracker agrees with this assessment and will remove the report from its database. We are also working with 
other security sites that list Security Tracker reports to make sure the CyberGuard "vulnerability" is removed as soon 
as possible. 

I confirm that I now request that your site remove the entry as it has been proven to be incorrect. 

Please inform me when this action has been completed. 

Jamie Fisher 
For completeness, the XSS is as follows:
alert('test')http://domain.tld>
 
CyberGuard make decent firewalls; the manner in which they manage their response to security vulnerbilities is poor.


bipin gautam <visitbipin () yahoo com> wrote:
huh!
Reviewing all the latest IE advisories, i believe they
are in a way attacking M$. So that its coutomers are
forced to choose another browser... due to the
security risks involved.

I will rate it as a birth of "E" - GORILLA WAR
stratigy? (o; of the minorities.


Can a company sue a person, for publishing
irresponsible sec. advisories as such? No offence. I
just wanna know your views. Afterall, the haxor is
reverse engineering the software. I don't know if M$
will ever fire a case against such ppl. in future with
a propaganda, TO PROTECT ITS USERS?

have your say?

bipin gautam
--- Berend-Jan Wever wrote:

> Hi all,
>
> In response to statements found at
http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html
> "Microsoft is concerned that this new report of a
> vulnerability in
> Internet Explorer was not disclosed responsibly,
> potentially putting
> computer users at risk," the company said in the
> statement. "We believe
> the commonly accepted practice of reporting
> vulnerabilities directly to a
> vendor serves everyone's best interests, by helping
> to ensure that
> customers receive comprehensive, high-quality
> updates for security
> vulnerabilities with no exposure to malicious
> attackers while the patch
> is being developed."
>
> About "responsible disclosure":
> The origional vulnerability was found and disclosed
> by ned. As far as I
> know, ned only knew he had found something that
> crashed MSIE: a bug.
> Microsofts concerns would suggest two options:
> 1) They expect everybody who finds a bug to
> investigate the issue and act
> according to the impact the problem might have on
> security. I do not think
> this is likely to happen unless everybody is
> required to be a 1337
> ubergeek before they are allowed to use MS software.
> It's a nice goal to
> aim for, but not very realistic.
> 2) You can not talk about your software crashing,
> ever, unless it's to the
> vendor: You might have stumbled upon a vulnerability
> and if a malicous
> attacker hears about it, he might use it.
>
> About "commonly accepted practice of reporting
> vulnerabilities directly to
> a vendor":
> When did they arrest all the black-hats ?
>
> About "no exposure to malicious attackers while the
> patch is being
> developed":
> Allthough I believe in responsible disclosure of
> vulnerabilities, it DOES
> NOT prevent malicious attackers to discover and
> exploit the same
> vulnerability while a patch is being developed.
> Resonsible disclosure
> decreases the chance of somebody hacking your system
> while you are
> vulnerable, it doesn't make it zero.
>
> Anybody who understands basic bufferoverflow
> techniques will be able to
> write an exploit for this vulnerability. I did it in
> a few minutes, so how
> hard can it be ? I do not feel I disclosed anything
> new, I just saved a
> lot of people the trouble of writing it themselves.
>
> The vulnerability has been rated "extremely
> critical" since I released the
> exploit. I say it was allready "extremely critical"
> before ned disclosed
> his information, only nobody knew it was there. It
> was "extremely
> critical" when ned did, but only a few could grasp
> that. Then I explained
> it was an easy to exploit bufferoverflow, it still
> did not get much
> attention.
> Writing the exploit hasn't changed the flaw or it's
> impact, it just
> attracked the right amount of attention to the
> problem.
>
> Cheers,
> SkyLined
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html




__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


                
---------------------------------
 ALL-NEW Yahoo! Messenger - all new features - even more fun!