Full Disclosure mailing list archives

Re: iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability

From: Matthew Murphy <mattmurphy () kc rr com>
Date: Wed, 14 Dec 2005 20:10:53 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

labs-no-reply () idefense com wrote:

Matt,

We don't disagree with you. The vulnerability lies in the Microsoft
Foundation Classes (MFC) static libraries. Trend Micro also acknowledges
this in their response. Unfortunately, Trend Micro's product
distributions are vulnerable since they ship with the old static libraries.

Michael Sutton
Director, iDefense Labs


That's all well-and-good.  I see two problems with this, only one of
which deals with iDefense:

1. iDefense was sloppy about fact-checking and crediting prior reports.
 If it surfaces that a vulnerability is a rediscovery of an unfixed
issue from a prior report, at least mention the prior report.
Particularly when you're buying/selling this as original research, it
makes iDefense look bad.

2. I'm betting that the reason why nobody at Trend paid more attention
than they did is because of the horrendous misdocumentation of the
service pack's fixes by Microsoft.  The only thing that has to do with
your report is that it makes the rediscovery of the issue more blatant.

It seems my post has been taken as more hostile toward iDefense than was
intended.  I'll say now that the majority of the blame for the fact this
was rediscovered in the first place lies squarely with Microsoft for its
spectacularly bad job of managing this vulnerability.  Had Microsoft
taken the initiative to actually inform customers that a hole existed
when it released Service Pack 6 for Visual Studio 6.0 (or chosen a more
effective delivery vehicle), I have no doubt that a company the size of
Trend would have been much less likely to be caught off guard.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDoNCsfp4vUrVETTgRAxsHAJ45XwlzkUr1y1T+EceGK8DB9Ul1egCfSXIy
YdHjZR1Kgc//4JTWCJMsSqA=
=cX5b
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability labs-no-reply () idefense com (Dec 14)
- Re: iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability Matthew Murphy (Dec 14)