[Full-disclosure] [PHPADSNEW-SA-2006-001] phpAdsNew and phpPgAds 2.0.8 fix multiple vulnerabilities

[Matteo Beccati]

phpAdsNew / phpPgAds security advisory PHPADSNEW-SA-2006-001

Advisory ID:   PHPADSNEW-SA-2006-001
Date:  2006-Mar-27
Security risk: medium risk
Applications affetced: phpAdsNew, phpPgAds
Versions affected: <= 2.0.7
Versions not affected: >= 2.0.8




Vulnerability 1:  HTML injection / Cross-site scripting


Description
---
Some scripts inside the admin interface were displaying parameters 
collected by the delivery scripts without proper sanitizing or escaping. 
The delivery scripts have public access, while the admin interface is 
restricted to logged in users. An attacker could inject HTML/XSS code 
which could be displayed/executed in a later time inside the admin 
interface.


Solution

- Upgrade to phpAdsNew or phpPgAds 2.0.8.



Vulnerability 2:  HTML injection / Cross-site scripting


Description
---
The login form was sending back to the browser the unmodified query 
string, making possible for an attacker to inject HTML/XSS code by using 
a specifically crafted URL.


Solution

- Upgrade to phpAdsNew or phpPgAds 2.0.8.


Contact informations


The security contact for phpAdsNew and phpPgAds can be reached at:



Best regards
--
Matteo Beccati
http://phpadsnew.com
http://phppgads.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WinPCap

[Nick Withers]

On Mon, 27 Mar 2006 08:03:40 +0100
"Aaron Gray" <[EMAIL PROTECTED]> wrote:

> Hi,
> 
> Does anyone know why WinPCap has stopped working after MS post SP2 updates ?

If I were a betting man, I would guess that it hadn't... You'd
think this'd be the kind of thing they'd get onto fairly fast.

> Why, how, can it be fixed ?

You're probably best off addressing this 'un to the
winpcap-users mailing list. Please see
"http://www.winpcap.org/contact.htm"; for more information.

> Aaron

-- 
Nick Withers
email: [EMAIL PROTECTED]
Web: http://www.nickwithers.com
Mobile: +61 414 397 446

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] New IE sploit?

[Stelian Ene]

[EMAIL PROTECTED] wrote:
> 
> 
> This will handle the announced sploit...assuming you do snort, courtesy
> of Bleeding-Snort:
> 
> http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities?view=markup
> 

This will handle the specific variation used in that exploit, but blocking this
completely is outside the scope of snort and most content scanners.
I see that even text/plain mails talking about the bug are "cleaned" by major
AVs. This is especially brain-dead behavior since all advisories clearly say
email is not a vector.
Due to the nature of JS, there are almost endless variations. Off the top of my
head:
- getElementById is not necessary; for example, use getElementsByName
- checkbox/radio + createTextRange is not the only way of triggering the bug
- infinite obfuscation using eval()
- infinite obfuscation using document.write()

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] WinPCap

[Aaron Gray]

Hi,
 
Does anyone know why WinPCap has stopped working 
after MS post SP2 updates ?
 
Why, how, can it be fixed ?
 
Aaron
 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

[Pilon Mntry]

> of creating a
> full-featured
> browser, from scratch, with usability as good as IE
> and Firefox
> strikes me as a fairly tricky project. 

I agree.

> What about
> using the
> facilities already provided by the OS to enforce the
> sandbox? 

But then will it be possible to prevent buffer
overflows, still running on unmanaged code?

Very nice points by Dinis, esp. the one about the
"advantages" of using our boxes with less privileges
(for internet browsing).

-pilon

--- Brian Eaton <[EMAIL PROTECTED]> wrote:

> On 3/25/06, Dinis Cruz <[EMAIL PROTECTED]> wrote:
> > 4) Finally, isn't the solution for the creation of
> secure and
> > trustworthy Internet Browsing environments the
> development of browsers
> > written in 100% managed and verifiable code, which
> execute on a secure
> > and very restricted Partially Trusted
> Environments? (under .Net, Mono or
> > Java). This way, the risk of buffer overflows will
> be very limited, and
> > when logic or authorization vulnerabilities are
> discovered in this
> > 'Partially Trusted IE' the 'Secure Partially
> Trusted environment' will
> > limit what the malicious code (i.e. the exploit)
> can do.
> 
> I am less than enthusiastic about most of the
> desktop java
> applications I use.  They are, for the most part,
> sluggish, memory
> gobbling beasts, prone to disintegration if I look
> at them cross-eyed
> or click the mouse too frequently.
> 
> Usability problems with java applications are not
> necessarily due to
> managed code, of course, but the idea of creating a
> full-featured
> browser, from scratch, with usability as good as IE
> and Firefox
> strikes me as a fairly tricky project.  What about
> using the
> facilities already provided by the OS to enforce the
> sandbox?  Rather
> than scrapping the existing codebases, start running
> them with
> restricted rights.  Use mandatory access control
> systems to make sure
> the browser doesn't overstep its bounds.
> 
> Regards,
> Brian
> 
>
-
> This List Sponsored by: SpiDynamics
> 
> ALERT: "How A Hacker Launches A Web Application
> Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks
> with real-world
> examples of recent hacking methods such as: SQL
> Injection, Cross Site
> Scripting and Parameter Manipulation
> 
>
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=70130003gRl
>
--
> 
> 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

[Valdis . Kletnieks]

On Sun, 26 Mar 2006 20:12:04 +0200, Anders B Jansson said:
> 128 bit entropy in a password requires a long randomized passphrase.

Do you really need a full 128 bits of entropy?  Certainly 64 bits or
so isn't sufficient - but re-evaluate what you *really* need from the
password - 80, 96, or 112 bits may suffice...

> Avoiding accented chars (which is good unless you want to be locked out)
> You'll end up with just under 6 1/2 bits per char.

And that's assuming you pick a totally random series from the 96 or so
printable characters.  On the other hand,  common english text manages a
whole whopping 2 1/2 bits per character. 

> And a password/passphrase meeting all requirements above and being at least
> 20 chars long isn't very usable.

On the other hand, "My unckle Fred's purple iguane has a wart on its eyelid."
is 57 characters long and gets you at least fairly close to 128 bits of
entropy.  More if you randomly insert a special character or three.

(As an aside, note that wr17ing 1t in '1337 sty1e doesn't add much entropy -
only about 1 bit of entropy (since all you need to do is record "was it an
o or a 0", or "1 or l" or '3 or e' and so on.  Random injection of special
characters, such as 'igu#ana' adds more entropy


pgpybOtcG1trX.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Veri

[KF (lists)]

"Sun will specially recognize and thank you for your contribution to the 
Java platform"
" you'll be recognized on a special 'Verifier Verified' web page on the 
JDK Community site"


Wow a free code audit for not even the cost of a t-shirt. Hats off to Sun.

-KF

Jeff Williams wrote:


Sun has made the new design and implementation available to the
community with a challenge to find security flaws in this important piece of
their security architecture. https://jdk.dev.java.net/CTV/challenge.html.
Kudos to Sun for engaging with the community this way.
 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiab

[Jeff Williams]

>I am not a Java expert, but I think that the Java Verifier is NOT used on
Apps that >are executed with the Security Manager disabled (which I believe
is the default >setting) or are loaded from a local disk (see "... applets
loaded via the file system >are not passed through the byte code verifier"
in http://java.sun.com/sfaq/) 

I believe that as of Java 1.2, all Java code except the core libraries must
go through the verifier, unless it is specifically disabled (java
-noverify).  Note that Mustang will have a new, faster, better? verifier and
that Sun has made the new design and implementation available to the
community with a challenge to find security flaws in this important piece of
their security architecture. https://jdk.dev.java.net/CTV/challenge.html.
Kudos to Sun for engaging with the community this way.

--Jeff


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

[Gareth Davies]

Anders B Jansson wrote:

Biometrics fail as been shown several times before.
Biometrics require that there's no way of obtaining that information 
from the user,
or that there's no way to enter this data without the actual user 
being present.


And even then they fail the actual user has a gun at his temple.




Then we need to return to the old mainframe concept of duress alarms 
(login with a * at the end or alternate login for situations when you 
are under duress).


The oldskool ;)

--
Gareth Davies - BS7799 LA, OPST

Manager - Security Practice

Network Security Solutions MSC Sdn. Bhd.
Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara,
Mont’ Kiara, 50480
Kuala Lumpur, Malaysia 
Phone: +603-6203 5303 or +603-6203 5920


www.mynetsec.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] guidelines for good password policyand maintenance / user centric identity with single passwords(or a small number at most over time)

[<...>]

On Mar 26, 2006, at 12:12 PM, Anders B Jansson wrote:


And even then they fail the actual user has a gun at his temple.


Frankly, this is true of just about any authentication scheme.



and it will be strong enough for 95% of the world anyway
maybe having a different "alarm ringing" password could alert something 
wrong is happening could be appropriate 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

[Dinis Cruz]

Hi Jeff, comments inline

Jeff Williams wrote:
> Great topics.
>
> I'm a huge fan of sandboxes, but Dinis is right, the market hasn't really
> gotten there yet. No question that it would help if it was possible to run
> complex software like a browser inside a sandbox that restricted its ability
> to do bad things, even if there are vulnerabilities (or worse -- malicious
> code) in them.  
Absolutely, and do you see any other alternative? (or we should just
continue to TRUST every bit of code that is executed in our computers?
and TRUST every single developer/entity that had access to that code
during its development and deployment?)
>  I'm terrified about the epidemic use of libraries that are
> just downloaded from wherever (in both client and server applications). All
> that code can do *whatever* it wants in your environments folks!
>
>   
Yes they can, and one of my original questions was 'When considering the
assets, is there REALLY any major differences between running code as
normal user versus as an administrator?"
> Sandboxes are finally making some headway. Most of the Java application
> servers (Tomcat included) now run with their sandbox enabled (albeit with a
> weak policy). And I think the Java Web Start system also has the sandbox
> enabled.  So maybe we're making progress.
>   
True, but are these really secure sandboxes?

I am not a Java expert so I can't give you specific examples, but on the
.Net Framework a Partially Trusted 'Sandbox' which contains an
UnamanagedCode, MemberAccess Reflection or SkipVerification Permission,
should not be called a 'Sandbox' since it can be easily compromised.
> But, if you've ever tried to configure the Java security policy file, use
> JAAS, or implement the SecurityManager interface, you know that it's *way*
> too hard to implement a tight policy this way.
And .Net has exactly the same problem. It is super complex to create a
.Net application that can be executed in a secure Partially Trusted Sandbox.
>   You end up granting all
> kinds of privileges because it's too difficult to do it right.  
And the new VS2005 makes this allocation of privileges very easy: "Mr.
developer, your application crashed because it didn't have the required
permissions, Do you want to add these permissions, Yes No? 
(developer clicks yes) ... "You are adding the permission
UnamanagedCodePermission, do you sure, Yes No? ... (developer clicks yes
(with support from application architect and confident that all
competitor Applications require similar permissions))"
> And only the
> developer of the software could reasonably attempt it, which is backwards,
> because it's the *user* who really needs it right. 
Yes, it is the user's responsibility (i.e. its IT Security and Server
Admin staff) to define the secure environment (i.e the Sandbox) that 3rd
party or internal-developed applications are allocated inside their data
center,

> It's possible that sandboxes are going the way of multilevel security (MLS).
> A sort of ivory tower idea that's too complex to implement or use. 
I don't agree that the problem is too complex. What we have today is
very complex architectures / systems with too many interconnections.

Simplify the lot, get enough resources with the correct focus involved,
are you will see that it is doable.
> But it
> seems like a really good idea that we should try to make practical. But even
> if they do start getting used, we can't just give up on getting software
> developers to produce secure code.  There will always be security problems
> that sandboxes designed for the platform cannot help with.
>   
Of course, I am not saying that developers should produce insecure code,
I am the first to defend that developers must have a firm and solid
understanding of the tools and technologies  that they use, and also as
important, the security implications of their code.
> I'm with Dinis that the only way to get people to care is to fix the
> externalities in the software market and put the burden on those who can
> most easily avoid the costs -- the people who build the software. Maybe then
> the business case will be more clear.
>   
Yes, but the key here is not with money (since that would also kill
large chunks of the Open Source world).

One of the solutions that I like, is the situation where all software
companies have (by law) to disclose information about the
vulnerabilities that they are aware of (look at the Eeye model of
disclosing information about 'reported but unpatched vulnerabilities').

Basically, give the user data (as in information) that he can digest and
understand, and you will see the user(s) making the correct decision(s).
> (Your last point about non-verified MSIL is terrifying. I can't think of any
> reason why you would want to turn off verification -- except perhaps startup
> speed. But that's a terrible tradeoff.)
>   
See my previous post (on this same thread) about this issue, but I think
that .Net is not alone in skipping verification fo

[Full-disclosure] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code

[Dinis Cruz]

Hi Kevin

  Indeed this is somewhat surprising that there is no byte-code
verification
in place, especially for strong typing, since when you think about it,
this is not too different than the "unmanaged" code case.

  

Well there is some byte coding verification. For example if you
manipulate MSIL so that you create calls to private members (something
that you can't compile with VS.NET) you will get a runtime error saying
that you tried to access a private member. So in this case there is
some verification.

What I found surprising was how little verification was done by the CLR
when verification is disabled, see for example these issues:

  Possible
Type Confusion issue in .Net 1.1 (only works in Full Trust)
  Another
Full Trust CLR Verification issue: Exploiting Passing Reference Types
by Reference
  Another
Full Trust CLR Verification issue: Changing Private Field using Proxy
Struct
  Another
Full Trust CLR Verification issue: changing the Method Parameters order
  C#
readonly modifier is not inforced by the CLR (when in Full Trust
  Also related: JIT
prevents short overflow (and PeVerify doesn't catch it) and ANSI/UNICODE
bug in System.Net.HttpListenerRequest

Basically, Microsoft decided against performing verification on Full
Trust code (which is 99% of the .Net code out there remember). Their
argument (I think) is: "if it is Full Trust then it can jump to
unmanaged code anyway, so all bets are off" (I am sure I have seen this
documented somewhere in a Microsoft book, KB article or blog, but can't
seem to find it (for the Microsofties that are reading this (if any),
can  you post some links please? thanks))

Apart from a basic problem which is "You cannot trust Full Trust code
EVEN if it doesn't make ANY direct unmanaged call or reflection" there
is a much bigger one.

When (not if) Applications start to be developed so that they run in
secure Partially Trusted environments,I think that the developers will
find that they code will suffer from an immediate performance hit due
to the fact that Verification is now being done on their code (again
for the Microsofties that are reading this (if any), can you post some
data related to the performance impact of the current CLR Verification
process? thanks)

  Apparently the whole "managed" versus "unmanaged" code only has to do
with whether or not garbage collection is attempted. 

yes, although I still think that we should fight for the words "Managed
Code" to include verification 


  However, the real question is "is this true for ALL managed code or
only managed code in the .NET Framework"? 

I am not a Java expert, but I think that the Java Verifier is NOT used
on Apps that are executed with the Security Manager disabled (which I
believe is the default setting) or are loaded from a local disk (see
"... applets loaded via the file system are not passed through the byte
code verifier" in http://java.sun.com/sfaq/) 

  Of course if software quality improvement does not take
place in these companies, their signing would be somewhat vacuous. Butit
would be better than nothing, since at least all such code would not be
fully trusted by default.
  

Yes, and note that I strongly defend that: "All local code must NOT be
given Full Trust by default" (at the moment it is)

Dinis

PS: For the Microsofties that are reading this (if any)   sorry for
the irony and I hope I am not offending anyone, but WHEN are you
going to join this conversion? (i.e. reply to this posts)

I can only see 4 reasons for your silence: a) you are not reading these
emails, b) you don't care about these issues, c) you don't want to talk
about them or  d) you don't know what to say.

Can you please engage and publicly participate in this conversation ...

Thanks


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] N3td3v crack hoe fund

[y0himba]

Sorry to do this on list, but was the email below related in any way to full
disclosure?  Was it at all necessary?  Just ignore the guy and move on. You
are giving him exactly what he wants, and becoming like him by sending this
crap. I enjoy this list immensely, but it drives me nuts when this stuff
starts to happen.  Now we will all be stuck sitting through the endless
replies, attitudes, and so forth.

I won't reply further.  Thanks and sorry again for doing it on list.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Q-Ball
Sent: Sunday, March 26, 2006 9:24 PM
To: Full Disclosure
Subject: [Full-disclosure] N3td3v crack hoe fund

By now I'm sure it's clear to everyone that n3td3v has a lot of pent up
frustration, most of which I would imagine is from childhood adolesence -
after all being 16yo and getting turned down by every chick because they
have to listen to his n3td3v world domination stories, would obviously be
somewhat frustrating for him. What I am proposing is to put an end to the
seemingly endless amount of inflated, useless, dribble that is of course the
n3td3v posts, by finally getting him laid. I'm aware that not everyone may
have a lot of cash to spare so to allow everyone to contribute, I would
suggest we all chip in 10c and save up for a crack hoe. Nothing too
expensive as they will of course have to listen to world domination stories,
but just enough to get the job done... 
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] N3td3v crack hoe fund

[nodialtone]

Dribble you say?  Let it rest.

On Sun, 2006-03-26 at 21:23, Q-Ball wrote:
> By now I'm sure it's clear to everyone that n3td3v has a lot of pent
> up frustration, most of which I would imagine is from childhood
> adolesence - after all being 16yo and getting turned down by every
> chick because they have to listen to his n3td3v world domination
> stories, would obviously be somewhat frustrating for him. What I am
> proposing is to put an end to the seemingly endless amount of
> inflated, useless, dribble that is of course the n3td3v posts, by
> finally getting him laid. I'm aware that not everyone may have a lot
> of cash to spare so to allow everyone to contribute, I would suggest
> we all chip in 10c and save up for a crack hoe. Nothing too expensive
> as they will of course have to listen to world domination stories, but
> just enough to get the job done...
>  
>  
> 
> __
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/





signature.asc
Description: This is a digitally signed message part
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] N3td3v crack hoe fund

[Q-Ball]

By now I'm sure it's clear to everyone that n3td3v has a lot of pent up frustration, most of which I would imagine is from childhood adolesence - after all being 16yo and getting turned down by every chick because they have to listen to his n3td3v world domination stories, would obviously be somewhat frustrating for him. What I am proposing is to put an end to the seemingly endless amount of inflated, useless, dribble that is of course the n3td3v posts, by finally getting him laid. I'm aware that not everyone may have a lot of cash to spare so to allow everyone to contribute, I would suggest we all chip in 10c and save up for a crack hoe. Nothing too expensive as they will of course have to listen to world domination stories, but just enough to get the job done...

 
 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Buffer OverFlow in ILASM and ILDASM

[Dinis Cruz]

Hello, just in case you haven't seen this one...

Last year I found a Buffer Overflow in Microsoft's .Net SDK ILDASM tool
which I reported privately to MSRC and eventually (after Microsoft's
response) publicly to the (low profile) Owasp-dotnet mailing list. 

I was waiting for Microsoft to publicly post something about this
(although they are not going to fix it in the near future, they should
at least make their customers aware of the issue), but since they don't
seem willing to do it, here is a copy of the email I sent to the
Owasp-dotnet mailing list on 14th December 2005:

"I just posted to this forum (Owasp .Net » Forums » .Net Security)
a series of posts that existed in a private forum of www.owasp.net
(used for issues like this (i.e. we want the information to be shared
amongst selected Owasp.Net users but don't want it to be publicly
disclosed (yet))) about a vulnerability that me and Kerem discovered on
ILASM and ILDASM:


  To MSRC: Buffer
OverFlow in ILASM and ILDASM
- The entire email conversation with MSRC ([EMAIL PROTECTED]) going
from the initial response to the final answer where they will not
threat
this as a vulnerability and will not issue a security advisory for it
(the solution will be included in the next Service Pack)

  Buffer Overflow
in ILASM - original email containing my first thoughts
  ILDASM Exception
Creator- little tool created by Kerem to create .Net assemblies
that crash ILDASM 

   ILDAM vulnerability
ShellCode development - more code
snippets and comments (now related to trying to inject a shellcode into
the vulnerable process)

The
bottom line is that this is a real issue in 1.1 and 1.0 (2.0 seems to
mitigate them), Microsoft has acknowledge the problem but will not
release a patch any time soon. 

So be careful when you ILDASM something.

I
also think that this issue needs further research since when we were
testing the Overflows we were finding them in several places in ILASM
and ILDASM (which means that there are probably many more variations
still to be discovered/mapped)

Dinis Cruz
Owasp .Net Project Leader
www.owasp.net "




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Industry calls on Microsoft to scrapPatchTuesday for Critical flaws

[MR BABS]

You can not possibly understand the extent of n3td3v's absolute powers. N3td3v is infallible. Tom Cruise is, in fact, a member. The infosec community is just one big lol after the last.
On 3/26/06, GroundZero Security <[EMAIL PROTECTED]> wrote:








first you say:
"One reason being the folks within the n3td3v group are actually people 
from MS, YAHOO, AOL, etc already"
or:
"the n3td3v group is the biggest thing you'll ever meet in your life 
time"
then later:
"..as the big players get it so badly wrong infront of the international 
stage"
 
isnt that conflicting ? first you pretend that you (and your imaginary 
group) would be the biggest shit out there,
but then you refer to SANS as the big players while you first braged that 
your imaginary people work for MS etc.
try to keep your story straight

  - Original Message - 
  
From: 
  n3td3v 
  To: 
full-disclosure@lists.grok.org.uk 
  
  Sent: Sunday, March 26, 2006 5:46 
AM
  Subject: Re: [Full-disclosure] Industry 
  calls on Microsoft to scrapPatchTuesday for Critical flaws
  Wow, hence the ideals of being an anonymous group. Like if 
  names were put to list, they wouldn't be sacked straight away... Wake up, 
  smell the postitives of being anonymous for five minutes, or maybe that leaves 
  you, CERT, SANS a bit head rubbed, just like SANS once said FIREFOX posed a 
  lesser threat that IE. OH, the guys I speak to at MS were chuckling about that 
  one. Of course SANS reversed their claim that FIREFOX was less vulnerable than 
  IE later, much later. The credibility of SANS, of course comes into questions, 
  while folks at n3td3v c onsortium laugh with glee, as the big 
  players get it so badly wrong infront of the international 
  stage.
  On 3/26/06, William 
  Lefkovics <[EMAIL PROTECTED]> 
  wrote: 
  Not 
to mention the absence of legitimate names of the 
folks.-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Mike HoyeSent: Saturday, March 25, 2006 7:08 PM To: full-disclosure@lists.grok.org.uk
Subject: 
Re: [Full-disclosure] Industry calls on Microsoft to scrapPatchTuesday 
for Critical flawsOn Sun, Mar 26, 2006 at 03:39:32AM +0100, n3td3v 
wrote: > One reason being the folks within the n3td3v group are 
actually people> from MS, YAHOO, AOL, etc already.You know, 
legitimate groups don't have to keep claiming, over and over, 
thatthey're legit. It's remarkable how that 
works.--"Totally mad. Utter nonsense. But we'll do it because 
it's brilliantnonsense." - Douglas 
Adams__ 
Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted 
and sponsored by Secunia - http://secunia.com/
  
  

  ___Full-Disclosure - We 
  believe in it.Charter: 
  http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored 
  by Secunia - http://secunia.com/

___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200603-24 ] RealPlayer: Buffer overflow vulnerability

[Matthias Geerdsen]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200603-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: RealPlayer: Buffer overflow vulnerability
  Date: March 26, 2006
  Bugs: #127352
ID: 200603-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


RealPlayer is vulnerable to a buffer overflow that could lead to remote
execution of arbitrary code.

Background
==

RealPlayer is a multimedia player capable of handling multiple
multimedia file formats.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  media-video/realplayer  < 10.0.7>= 10.0.7

Description
===

RealPlayer is vulnerable to a buffer overflow when processing malicious
SWF files.

Impact
==

By enticing a user to open a specially crafted SWF file an attacker
could execute arbitrary code with the permissions of the user running
the application.

Workaround
==

There is no known workaround at this time.

Resolution
==

All RealPlayer users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/realplayer-10.0.7"

References
==

  [ 1 ] CVE-2006-0323
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0323
  [ 2 ] RealNetworks Advisory
http://service.real.com/realplayer/security/03162006_player/en/

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-24.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

[Anders B Jansson]

James Longstreet wrote:


On Mar 26, 2006, at 12:12 PM, Anders B Jansson wrote:


And even then they fail the actual user has a gun at his temple.


Frankly, this is true of just about any authentication scheme.


Exactly, so how far should you drive your requirements for an authentication 
scheme?

Pushing requirements to far will lead to weaker security and higher cost 
without any gain.

--
// hdw

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

[James Longstreet]

On Mar 26, 2006, at 12:12 PM, Anders B Jansson wrote:


And even then they fail the actual user has a gun at his temple.


Frankly, this is true of just about any authentication scheme.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

[Anders B Jansson]

coderman wrote:


Creating a secure password:

o Include punctuation marks and numbers.
o Mix capital, lowercase and space characters.
o Create a unique acronym.
o Short passwords should be 8 chars at least.

Weaknesses to avoid:
o Don't use a password that is listed as an example or public.
o Don't use a password you have been using for years.
o Don't use a password someone else has seen you type.
o Don't use a password that contains personal information.
o Don't use words or acronyms that can be found in a dictionary.
o Don't use keyboard patterns (qwerty) or sequential numbers.
o Don't use repeating characters (aa11).

Remove the last one.
As long as the others are met this one will not add to strength, it will 
actually reduce it.


Keep your password secure:
o Never tell your password to anyone or use it where they can observe it.
o Never send your password by email or speak it where others may hear.
o Occasionally verify your current password and change it to a new one.
o Avoid writing your password down.  (Keep it with you in a purse
or wallet if you have to write down the password until you remember
it.)

And never label that scrap of paper in any way.
Write it down on an old businesscard or something.
Don't give anyone who finds (or gains access to) your purse/wallet any clue of 
what
"d0gg13styl3" means or is related to.



High assurance passwords / exotic threat model interactive auth: use
challenge response for single use Key Encryption Keys containing a
minimum of 128 bits of entropy in a full SHA-512 derived key.  exotic
threat model implies full process for physical, emission,
cryptographic and user interface security.  (i.e. expert level
security infrastructure and flawless identity management).

128 bit entropy in a password requires a long randomized passphrase.
Avoiding accented chars (which is good unless you want to be locked out)
You'll end up with just under 6 1/2 bits per char.
And a password/passphrase meeting all requirements above and being at least
20 chars long isn't very usable.
 

ideally this would be coupled with a personal vascular scan biometric
device (user centric with vascular auth challenge to open/sign
hardened internal secrets)

Biometrics fail as been shown several times before.
Biometrics require that there's no way of obtaining that information from the 
user,
or that there's no way to enter this data without the actual user being present.

And even then they fail the actual user has a gun at his temple.


--
// hdw

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

[coderman]

comments?

Creating a secure password:

o Include punctuation marks and numbers.
o Mix capital, lowercase and space characters.
o Create a unique acronym.
o Short passwords should be 8 chars at least.

Weaknesses to avoid:

o Don't use a password that is listed as an example or public.
o Don't use a password you have been using for years.
o Don't use a password someone else has seen you type.
o Don't use a password that contains personal information.
o Don't use words or acronyms that can be found in a dictionary.
o Don't use keyboard patterns (qwerty) or sequential numbers.
o Don't use repeating characters (aa11).

Keep your password secure:

o Never tell your password to anyone or use it where they can observe it.
o Never send your password by email or speak it where others may hear.
o Occasionally verify your current password and change it to a new one.
o Avoid writing your password down.  (Keep it with you in a purse
or wallet if you have to write down the password until you remember
it.)

---

High assurance passwords / exotic threat model interactive auth: use
challenge response for single use Key Encryption Keys containing a
minimum of 128 bits of entropy in a full SHA-512 derived key.  exotic
threat model implies full process for physical, emission,
cryptographic and user interface security.  (i.e. expert level
security infrastructure and flawless identity management).

ideally this would be coupled with a personal vascular scan biometric
device (user centric with vascular auth challenge to open/sign
hardened internal secrets)

the odds of such a device being designed, produced and verified in an
open and full disclosure manner is not high. :P

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: RFA: hardware, wireless, defcon (request for assistance with project release/distribution/runtime at defcon 14)

[coderman]

i'd also encourage everyone to hack the shit out of this at the
conference as well...

(like i told a naval infowar red team entity in a drunken boast of
very little intelligence last year: 'get as blackhat on this
motherfucker as you want!')

-- Forwarded message --
From: coderman <[EMAIL PROTECTED]>
Date: Mar 26, 2006 8:37 AM
Subject: RFA: hardware, wireless, defcon (request for assistance with
project release/distribution/runtime at defcon 14)
To: [EMAIL PROTECTED]


:: public request for help with janus wireless / open source project
at defcon 14 ::

if you will be at defcon 14 this august and have one or more of the
following and would be willing to help with an open source project
launch / test during the con please get in touch with me using
Off-The-Record or coordinate a meat space rendezvous via email -
[EMAIL PROTECTED]

coderman42 on AIM :: OTR print A59CDCB3 46468A16 27D21678 270AF0B5 0B0477CF

my appreciation to anyone and everyone for their help; we will need it
(we are a very small group based in portland with limited resources
and time).

i will try to express my appreciation and reward your generosity in
some fashion.  please forward this to anyone with crypto clue who
might be interested and likely to participate.

desired and/or required:
-  VIA Nehemiah hardware and >128M of memory.  C5XL, C5P or C5J / C7  required.
-  slimline IDE or USB CDROM/DVDROM drives.

-  any x586/Pentium system with > 128M of ram and 8G or more free on
unformatted disk partition.

-  portable USB storage devices that can be formatted to XFS/iso image.

-  any system capable of burning single or dual layer DVD-R discs.

-  any wireless equipment that can support WPA/WPA2 EAP TLS w RADIUS
(enterprise mode)

-  any prism2, hermes, atheros, cisco, intel or other linux supported
wireless hardware in pcmcia/cardbus or mini-PCI/PCI formfactor.
200mW+ especially useful.

-  802.11 or other HAM/FHSS/DSSS/OFDM amplifiers in the 900Mhz,
2.4Ghz, and 5.8Ghz bands (or other reasonable bands - HAM with
auth/no-privacy packet radio signalling?)

-  antennas / cables / filters / mounting systems / for any of the above bands.

-  audio/video recording and/or mastering equipment and knowledge.

-  home/work/edu internet bandwidth that can support and would be
available for the conference (or a subset) running a tor proxy and/or
bittorrent seeder.  traffic shaping and read-only boot/runtime is
supported if you use the live ISO cd for hosting a tor[rent] node.
please consider the potential security risks of running a tor node
reachable from a private defcon wireless network before agreeing to
this.  middle/relay only nodes would still be helpful.

- well CPU and memory endowed systems that you would make available to
a private IPsec/OpenVPN network for distributed build and test
services.


all hardware you want to keep is encouraged to stay in your possession
and a few hours or more would be helpful when contributing time/skills
at the conference.  you will need to meet me in person before or the
day of the conference.  the earlier the better.

thanks again,
  i look forwarded to meeting any of you in person and discussing this
project and code.

martin - janus wireless

[EMAIL PROTECTED]|peertech.org|charter.net|mindspring.com

 'bastardized Leonard Cohen; the only quote you'll ever see
me tarnish so,'
---cut---

"It is not to tell you anything
But to live forever
That I write this.

...

This is the only code
I can write.
I am the only one
who has built it.
I didn't kill myself
When things went wrong
I didn't shirk difficult integrity,
  when the easy seduced me.
I learned to write
I learned to code
What might be named
On nights like this
By one like me.
"
---end-cut---

-- out of date and high level description of what this project is all about:


0.  Overview

Warning: this software is in early experimental stages and should be
used accordingly.   The Janus Wireless distribution provides a secure
environment for private group networking.   Please read the rest of
this document for a description of digital identity and group
networking features implemented in this release.


1.  Identity Management

The cornerstone of any secure system is the concept of digital
identity used to establish authenticated sessions and manage
resources.   The Janus Wireless software defines your identity with a
combination of passphrase and a USB memory stick.   Both of these
methods must be used together to authenticate you and should be
protected like you would protect keys to other valuable personal items
like a residence or vehicle.  It is very important that you understand
the security of your communications and data is dependant on the
security of your passphrase and USB memory stick.   Store these safely
and never use them on a computer where your passphrase may be captured
(key logger or shoulder surfer) or the USB memory copied.

Physically hardened tamper resistant and/or evident hardware tokens
may be used where needed for

Re: [Full-disclosure] Industry calls on Microsoft to scrapPatchTuesday for Critical flaws

[GroundZero Security]

first you say:
"One reason being the folks within the n3td3v group are actually people 
from MS, YAHOO, AOL, etc already"
or:
"the n3td3v group is the biggest thing you'll ever meet in your life 
time"
then later:
"..as the big players get it so badly wrong infront of the international 
stage"
 
isnt that conflicting ? first you pretend that you (and your imaginary 
group) would be the biggest shit out there,
but then you refer to SANS as the big players while you first braged that 
your imaginary people work for MS etc.
try to keep your story straight

  - Original Message - 
  From: 
  n3td3v 
  To: full-disclosure@lists.grok.org.uk 
  
  Sent: Sunday, March 26, 2006 5:46 
AM
  Subject: Re: [Full-disclosure] Industry 
  calls on Microsoft to scrapPatchTuesday for Critical flaws
  Wow, hence the ideals of being an anonymous group. Like if 
  names were put to list, they wouldn't be sacked straight away... Wake up, 
  smell the postitives of being anonymous for five minutes, or maybe that leaves 
  you, CERT, SANS a bit head rubbed, just like SANS once said FIREFOX posed a 
  lesser threat that IE. OH, the guys I speak to at MS were chuckling about that 
  one. Of course SANS reversed their claim that FIREFOX was less vulnerable than 
  IE later, much later. The credibility of SANS, of course comes into questions, 
  while folks at n3td3v c onsortium laugh with glee, as the big 
  players get it so badly wrong infront of the international 
  stage.
  On 3/26/06, William 
  Lefkovics <[EMAIL PROTECTED]> 
  wrote: 
  Not 
to mention the absence of legitimate names of the 
folks.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Mike HoyeSent: Saturday, March 25, 2006 7:08 PM To: full-disclosure@lists.grok.org.ukSubject: 
Re: [Full-disclosure] Industry calls on Microsoft to scrapPatchTuesday 
for Critical flawsOn Sun, Mar 26, 2006 at 03:39:32AM +0100, n3td3v 
wrote: > One reason being the folks within the n3td3v group are 
actually people> from MS, YAHOO, AOL, etc already.You know, 
legitimate groups don't have to keep claiming, over and over, 
thatthey're legit. It's remarkable how that 
works.--"Totally mad. Utter nonsense. But we'll do it because 
it's brilliantnonsense." - Douglas 
Adams__ 
Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted 
and sponsored by Secunia - http://secunia.com/
  
  

  ___Full-Disclosure - We 
  believe in it.Charter: 
  http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored 
  by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws

[Javor Ninov]

Why you continue to feed the troll ?
those kind of people need attention.. and you give them the attention
needed. they fill happy when somebody argues with them ... and you argue
with them. you just give them live energy.
it is obvious that "n3td3v group" is just a lame kid searching for
attention. the only thing that i don't get it is why you all respond to
n3td3v's crap ? i thought you all are smart and decent people ? can you
just disregard n3td3v's bullshits and kill the foolish kid with silence ?

Javor Ninov aka DrFrancky
http://securitydot.net/

[EMAIL PROTECTED] wrote:
> Rogue employees?
> 
> Alright shit stain. Yeah.. MS is going to listen to a group of 
> "rogue employees" lol
> 
> On Sat, 25 Mar 2006 19:34:43 -0800 n3td3v <[EMAIL PROTECTED]> wrote:
>> *I work with rogue employee vendors around the world to bring good 
> 
>> Hack
>> active solution about within the community, if you can't under 
>> stand that,
>> then you need to sit down and realise that the n3td3v group is the 
> 
>> biggest
>> thing you'll ever meet in your life time, in terms of rogue 
>> employees
>> getting together to make their voice heard.*
>>
>> *We can agree in that one guy, has many voices, if that helps your 
> 
>> cause mr
>> 0x80!*
>> Or we can argue the crypto of the n3td3v group further if you wish 
> 
>> to go
>> down that road...
>>
>>
>> On 3/26/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>>> WE?
>>>
>>> You are one guy.  Actually you are one stupid guy who obviously 
>> has
>>> zero clue about how real enterprise level infrastructures handle
>>> patch management.
>>>
>>> Patch Tuesday is a good thing as it supports a sound patch
>>> management methodology.  I wouldn't expect you to know this 
>> because
>>> it is clear that you are some idiotic kid.
>>>
>>> On Sat, 25 Mar 2006 14:12:23 -0800 n3td3v <[EMAIL PROTECTED]> 
>> wrote:
 Dear Microsoft and Security Community,


 In light of WMF and recent HTA flaws, we n3td3v group are 
>> calling
 on the
 following:


 We are calling for Microsoft to scrap Patch Tuesday officially 
>> for
 critical flaws in its product line(s).

 You Microsoft must officially agree that all flaws marked as
 "Critical" must
 have a patch within 7 to 14 days of public disclosure.


 People power will change policy by forwarding this e-mail to:

 [EMAIL PROTECTED]


 Reason for this e-mail:


 Reports are coming into our intelligence body that mass HTA
 hacking is being
 carried out world wide.

 & of course unofficial patches cause a greater security risk 
>> than
 the flaw
 its self:

>>> http://groups.google.com/group/n3td3v/browse_thread/thread/83607ba
> 
>> 8
 33b697b0/8f0be3bc9c2436c4


 Links:

 n3td3v group HQ:
 http://groups.google.com/group/n3td3v

 Hackivism scene information:
 http://en.wikipedia.org/wiki/Hacktivism
>>>
>>>
>>> Concerned about your privacy? Instantly send FREE secure email, 
>> no account
>>> required
>>> http://www.hushmail.com/send?l=480
>>>
>>> Get the best prices on SSL certificates from Hushmail
>>> https://www.hushssl.com?l=485
>>>
>>>
> 
> 
> 
> Concerned about your privacy? Instantly send FREE secure email, no account 
> required
> http://www.hushmail.com/send?l=480
> 
> Get the best prices on SSL certificates from Hushmail
> https://www.hushssl.com?l=485
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws

[[EMAIL PROTECTED]]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 

body > contains > n3td3v
from > contains > n3td3v

delete message
delete from pop server

is a good solution in thunderbird to get ride of this FD bug.

cheers.

[EMAIL PROTECTED] wrote:
> well for me n3td3v and probably a lot here , you are in the junk
> settings because I think most FD list is really pissed off your
> international kiddie attitude...
>
> n3td3v wrote:
>>> Sorry to say the n3td3v group involves employees (rogue) who
>>> have called for this. You can ringgle and ranggle your poltical
>>> point of users within the MS not having enough time scale to
>>> promote to a certain issue, but thats complete crap. One reason
>>> being the folks within the n3td3v group are actually people
>>> from MS, YAHOO, AOL, etc already. The folks at n3td3v group are
>>> part of the industry already, for you to put your point across
>>> mr Valdis is cool, but the n3td3v group if you hadent realised
>>> before is part of a between the major dot coms.
>>>
>>> On 3/26/06, [EMAIL PROTECTED]
>>> * <[EMAIL PROTECTED]
>>> > wrote:
>>>
>>> On Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:
>>>
 You Microsoft must officially agree that all flaws marked as
>>> "Critical" must
 have a patch within 7 to 14 days of public disclosure.
>>>
>>> OK... Nice try.
>>>
>>> Too bad you didn't add a requirement that the patch actually be
>>>  *correct*.
>>>
>>> Also, you're totally overlooking the fact that *sometimes*,
>>> fixing a problem requires some major re-architecting - for
>>> instance, if an API has to be changed, then *every* caller has
>>> to be updated, and quite possibly re-designed, and the changes
>>> have an annoying tendency to ripple outward (if subroutine A
>>> has a 7th parameter added, then everybody who calls A has to be
>>>  updated.  And it's likely that you'll find routines B, C, and
>>> D that have no *idea* what the correct value of the parameter
>>> should be, because they don't have access to the data - so now
>>> callers of B, C, and D have to pass another parameter that gets
>>>  passed to A).
>>>
>>> Any company that will commit to a "must" on this one is nuts.
>>> It's a good target, but making it mandatory is just asking
>>> companies to ship a half-baked patch that seems to fix the PoC
>>> rather than the underlying design flaw.
>>>
>>> And going back and reviewing the patch history on IE is
>>> instructive - more than once, Microsoft has released a patch
>>> for a known Javascript flaw, only to find out within a week
>>> that a very slight change would make the exploit work again.
>>>
>>> Is that *really* what you want?  It's certainly not what *I*
>>> want.  Waiting another 3-4 days past your arbitrary 14-day
>>> limit for a *good* patch is certainly preferable for those of
>>> us who actually have to deal with this stuff for a living,
>>> rather than hide out on a Yahoo group.
>>>
>>>
>>>
>>>
>>>
>>>
> --
>
>>>
>>> ___ Full-Disclosure
>>> - We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted
>>> and sponsored by Secunia - http://secunia.com/
>
>
> ___ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
>
>
> __ NOD32 1.1458 (20060324) Information __
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.1 (MingW32)
 
iD8DBQFEJn59FJS99fNfR+YRAhklAJ98pTU41bErz0MaNrKjSwOl7Aj1+QCZAXSh
RKprp09ZOCSj6gvC3ep40Yc=
=iLDC
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Industry calls on Microsoft to scrap Patch Tuesday for Critical flaws

[[EMAIL PROTECTED]]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
well for me n3td3v and probably a lot here , you are in the junk
settings because I think most FD list is really pissed off your
international kiddie attitude...

n3td3v wrote:
> Sorry to say the n3td3v group involves employees (rogue) who have
> called for this. You can ringgle and ranggle your poltical point of
> users within the MS not having enough time scale to promote to a
> certain issue, but thats complete crap. One reason being the folks
> within the n3td3v group are actually people from MS, YAHOO, AOL, etc
> already. The folks at n3td3v group are part of the industry already,
> for you to put your point across mr Valdis is cool, but the n3td3v
> group if you hadent realised before is part of a between the major
> dot coms.
>
> On 3/26/06, [EMAIL PROTECTED]
> * <[EMAIL PROTECTED]
> > wrote:
>
> On Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:
>
> > You Microsoft must officially agree that all flaws marked as
> "Critical" must
> > have a patch within 7 to 14 days of public disclosure.
>
> OK... Nice try.
>
> Too bad you didn't add a requirement that the patch actually be
> *correct*.
>
> Also, you're totally overlooking the fact that *sometimes*,
> fixing a problem
> requires some major re-architecting - for instance, if an API
> has to be changed,
> then *every* caller has to be updated, and quite possibly
> re-designed, and
> the changes have an annoying tendency to ripple outward (if
> subroutine A
> has a 7th parameter added, then everybody who calls A has to be
> updated.  And
> it's likely that you'll find routines B, C, and D that have no
> *idea* what the
> correct value of the parameter should be, because they don't
> have access to the
> data - so now callers of B, C, and D have to pass another
> parameter that gets
> passed to A).
>
> Any company that will commit to a "must" on this one is
> nuts.  It's a good
> target, but making it mandatory is just asking companies to ship
> a half-baked
> patch that seems to fix the PoC rather than the underlying
> design flaw.
>
> And going back and reviewing the patch history on IE is
> instructive - more than
> once, Microsoft has released a patch for a known Javascript
> flaw, only to find
> out within a week that a very slight change would make the
> exploit work again.
>
> Is that *really* what you want?  It's certainly not what *I*
> want.  Waiting
> another 3-4 days past your arbitrary 14-day limit for a *good*
> patch is certainly
> preferable for those of us who actually have to deal with this
> stuff for a living,
> rather than hide out on a Yahoo group.
>
>
>
>
>
> --
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.1 (MingW32)
 
iD8DBQFEJnzeFJS99fNfR+YRArtZAKCVWIGekBeIyCSPIBC4M6ouQrNQzgCaAoJt
NV62LR4xtgZ6BnT/dozX0vU=
=W52r
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)

[Randal T. Rioux]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

Gadi Evron wrote:

> of security attitude I wonder why anybody believes OpenBSD is the most
> secure OS around.

No - that would be OpenVMS   :-)

At least until HP kills it.

Randy. still wondering what is 'open' about VMS

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEJkoXRrGMQdCNGUERAxXeAJsGwsgHx3bIQPpQVA5rM+PEEZMn1QCff4qk
fgjq68/XYJXXmvVg7n84R6I=
=pIi8
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/