On Thu, Jun 10, 2010 at 12:16 PM, Tavis Ormandy <tav...@cmpxchg8b.com> wrote:
> > I will not answer anymore uninformed questions on this topic. > > Riddle me this Tavis. For why not responsible disclosure you put millions of Microsoft customers at risk. Hello list, I'd like to warn you about reckless disclosure. Imagine if you will a car maker say Toyota. Owner of Toyota know of vulnerability that when drive car, car go fast. Its a security risk. Imagine what happen when driver go to Toyota: "Hey Chinky Car Maker Is You Car Go Fast Vroom Vroom and can kill someone!*&%$!" Car maker think fast with risk assessment: 1) Does the public know? a) No they not know - recall not necessary we spend money on recall b) No public not fully aware - somewhat aware - we bribe those aware c) Public know - we now look like fool - damage reputation of Tavis who reported risk List, I'd like to warn you about Microsoft politics for disclosure. True politics people who not report security do not see in real world perspective. 2010-05-07 - Mustnlive contact Microsoft for 0day which take over MSN Messenger with a single message need point of contact 2010-05-08 - Microsoft Security Response center reply: Hello, Thank you for this report. How would an attacker get the code onto a victim system? Best Regards, (Name remove to protect lowly customer service monkey) 2010-05-08 Mustnlive reply: Hi, No you no understand, I send you message on you MSN and you MSN run my code like it or not. Here is my PoC. Inshallah! 2010-05-10 MSRC reply: Hello, ActiveX are considered unsafe filetypes in Windows and other Microsoft products. The MSRC does not open cases on file types that are designed to run code and considered unsafe. If you find that there is a vector to reproduce the issue that does not require the execution of an unsafe file type please reply with details. Best Regards, (Name remove to protect lowly customer service monkey) 2010-05-10 Musntlive scratch head and think: "You make ActiveX you MSRC monkey!" 2010-05-11 Musntlive move up the MSRC foodchain Blackhat ShmooFoo style to open a can of whoop ass: Hi, My colleague (name remove to protect super cool MS fellow) let me know that you reached out to him on this issue. If you have additional information on this issue sec...@microsoft.com is the appropriate contact for it. Have you been able to reproduce the issue without leveraging an unsafe file type? or through a remote vector? Best Regards, (name remove to protect innocent MSRC monkey) 2010-05-10 Musntlive scratch head again and think: "You stupid MSRC monkey! Do you not see the code! Do you not see I pwn all is your system?!" 2010-06-01 Musntlive make exploit live weapon of IM destruction and test test retest test test 2010-06-05 Mustnlive test on unsuspecting hot woman. Send message, instant camera control via MSN (latest version on Vista, 7, XP) 2010-06-10 Mustnlive semidiscloses weapon of IM destruction 2010-06-10 Musntlive offer IM weapon he call Yudayajin Kuma for sale on black market beginning bid $10,000.00 You see Susan and other non hacker monkeys, companies do not care for fix issue they is care for covering their bungerholes. I applaud Tavis, wish people would know the process to report bug and runaround companies give researchers who try to report problems. No Full Disclosure, no more free bugs. Companies is not care to fix things that are not in the spotlight. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/