Re: [Full-Disclosure] MSIE srcname property disclosure
Not to be a smart-ass, but - sales reps typically dont know techinical details, nor should they. Got link/more info/etc as to what you are referring to? On Mon, 15 Nov 2004 15:37:42 -0500, Dave Aitel [EMAIL PROTECTED] wrote: That's a good question for your Microsoft sales rep. If you want technical details, Immunity has a working and reliable Wins exploit in the Vulnerability Sharing Club version of CANVAS. I think there's an interesting difference between how the Linux community handled the recent kernel bugs, and how Microsoft and other commercial vendors handle all bugs. Dave Aitel Immunity, Inc. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MSIE srcname property disclosure
How is it an example? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Aitel Sent: Monday, November 08, 2004 9:49 AM To: Michal Zalewski Cc: Berend-Jan Wever; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] MSIE srcname property disclosure SNIP WINS is a classic example. SNIP ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MSIE srcname property disclosure
I don't know how your club works. Do you report to MS as well or just within your club that you charge people to be part of? Has MS responded to you if you did report it? What was their response that makes WINS a classic example? joe -Original Message- From: Dave Aitel [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 3:38 PM To: joe Cc: 'Michal Zalewski'; 'Berend-Jan Wever'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] MSIE srcname property disclosure That's a good question for your Microsoft sales rep. If you want technical details, Immunity has a working and reliable Wins exploit in the Vulnerability Sharing Club version of CANVAS. I think there's an interesting difference between how the Linux community handled the recent kernel bugs, and how Microsoft and other commercial vendors handle all bugs. Dave Aitel Immunity, Inc. joe wrote: How is it an example? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Aitel Sent: Monday, November 08, 2004 9:49 AM To: Michal Zalewski Cc: Berend-Jan Wever; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] MSIE srcname property disclosure SNIP WINS is a classic example. SNIP ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MSIE srcname property disclosure
That's a good question for your Microsoft sales rep. If you want technical details, Immunity has a working and reliable Wins exploit in the Vulnerability Sharing Club version of CANVAS. I think there's an interesting difference between how the Linux community handled the recent kernel bugs, and how Microsoft and other commercial vendors handle all bugs. Dave Aitel Immunity, Inc. joe wrote: How is it an example? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Aitel Sent: Monday, November 08, 2004 9:49 AM To: Michal Zalewski Cc: Berend-Jan Wever; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] MSIE srcname property disclosure SNIP WINS is a classic example. SNIP ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MSIE srcname property disclosure
Joe, http://www.immunitysec.com/services-sharing.shtml has the answers to your questions about the Immunity VSC, but my point was specifically about bugs that Microsoft knew about, but didn't think the public did. In Linux's case, said bugs would have a detailed advisory. In Microsoft's case, such bugs are wrapped into the next service pack silently. Private firms such as Immunity and several others in the market often close the gaps, but it's likely that hackers have had such bugs for long periods of time. Dave Aitel Immunity, Inc. joe wrote: I don't know how your club works. Do you report to MS as well or just within your club that you charge people to be part of? Has MS responded to you if you did report it? What was their response that makes WINS a classic example? joe -Original Message- From: Dave Aitel [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 3:38 PM To: joe Cc: 'Michal Zalewski'; 'Berend-Jan Wever'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] MSIE srcname property disclosure That's a good question for your Microsoft sales rep. If you want technical details, Immunity has a working and reliable Wins exploit in the Vulnerability Sharing Club version of CANVAS. I think there's an interesting difference between how the Linux community handled the recent kernel bugs, and how Microsoft and other commercial vendors handle all bugs. Dave Aitel Immunity, Inc. joe wrote: How is it an example? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Aitel Sent: Monday, November 08, 2004 9:49 AM To: Michal Zalewski Cc: Berend-Jan Wever; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] MSIE srcname property disclosure SNIP WINS is a classic example. SNIP ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MSIE srcname property disclosure
On Mon, 8 Nov 2004, Berend-Jan Wever wrote:
In response to statements found at
http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html
Yup.
But what amuses me most, is the following bit:
Microsoft has begun to investigate the Iframe vulnerability and has not
been made aware of any program designed to exploit the flaw, the company
said in an e-mail statement to CNET News.com.
When you posted your first message confirming that the problem is
exploitable, I forwarded it to [EMAIL PROTECTED], so that they know
they have a problem in case they do not read Full-Disclosure. I got no
response. Later, when you posted a working exploit, I sent them another
forward, including a remark it is probably a good idea to react now, if
they failed to do so before.
In response, I got a mail from Lennart of Microsoft Security Response
Center, saying that they are aware of the problem and read mailing lists,
and that my original mail simply got lost in the noise.
Several days later, this statement surfaces in an article, showing beyond
any doubt that they are, quite simply, lying to the public to save face
and gain time.
As much as I am not a rabid Microsoft hater, this pissed me off more than
a bit.
--
- bash$ :(){ :|:};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--- 2004-11-08 15:09 --
http://lcamtuf.coredump.cx/photo/current/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MSIE srcname property disclosure (E - GORILLA WAR stratigy? )
huh! Reviewing all the latest IE advisories, i believe they are in a way attacking M$. So that its coutomers are forced to choose another browser... due to the security risks involved. I will rate it as a birth of E - GORILLA WAR stratigy? (o; of the minorities. Can a company sue a person, for publishing irresponsible sec. advisories as such? No offence. I just wanna know your views. Afterall, the haxor is reverse engineering the software. I don't know if M$ will ever fire a case against such ppl. in future with a propaganda, TO PROTECT ITS USERS? have your say? bipin gautam --- Berend-Jan Wever [EMAIL PROTECTED] wrote: Hi all, In response to statements found at http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk, the company said in the statement. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed. About responsible disclosure: The origional vulnerability was found and disclosed by ned. As far as I know, ned only knew he had found something that crashed MSIE: a bug. Microsofts concerns would suggest two options: 1) They expect everybody who finds a bug to investigate the issue and act according to the impact the problem might have on security. I do not think this is likely to happen unless everybody is required to be a 1337 ubergeek before they are allowed to use MS software. It's a nice goal to aim for, but not very realistic. 2) You can not talk about your software crashing, ever, unless it's to the vendor: You might have stumbled upon a vulnerability and if a malicous attacker hears about it, he might use it. About commonly accepted practice of reporting vulnerabilities directly to a vendor: When did they arrest all the black-hats ? About no exposure to malicious attackers while the patch is being developed: Allthough I believe in responsible disclosure of vulnerabilities, it DOES NOT prevent malicious attackers to discover and exploit the same vulnerability while a patch is being developed. Resonsible disclosure decreases the chance of somebody hacking your system while you are vulnerable, it doesn't make it zero. Anybody who understands basic bufferoverflow techniques will be able to write an exploit for this vulnerability. I did it in a few minutes, so how hard can it be ? I do not feel I disclosed anything new, I just saved a lot of people the trouble of writing it themselves. The vulnerability has been rated extremely critical since I released the exploit. I say it was allready extremely critical before ned disclosed his information, only nobody knew it was there. It was extremely critical when ned did, but only a few could grasp that. Then I explained it was an easy to exploit bufferoverflow, it still did not get much attention. Writing the exploit hasn't changed the flaw or it's impact, it just attracked the right amount of attention to the problem. Cheers, SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MSIE srcname property disclosure
0wning the windoze population is not enough for m$. they also want to 0wn the intellectual property of bugs and exploits in their warez. as much as i love them, i must admit they are lamers. -- where do you want bill gates to go today? On Mon, Nov 08, 2004 at 12:40:08PM +0100, Berend-Jan Wever wrote: Hi all, In response to statements found at http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MSIE srcname property disclosure
Common laws in IT-security: I° Micro$oft bugs law : a bug is a bug only if found in competitor's software (or if it could be used in any commercial report to show Windoze betterstronger than other OSes). II° Micro$oft bugs law : Windoze has only bugs that M$ said it has; every other bug, found by bad-and-evil-security-guys is not a bug. III° Micro$oft bugs law : every bug discovered by others is only a windows update problem or a missing feature of operating system which will be fixed in next service pack IV° Micro$oft bugs law : if we found a bug by ourselves...we fix it in the darkness and then erase programmers memories to avoid that they one day could remember about it :) Messaggio inviato da Edizioni Master Webmail http://mbox.edmaster.it ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MSIE srcname property disclosure
--On Monday, November 08, 2004 03:13:57 PM +0100 Michal Zalewski [EMAIL PROTECTED] wrote: Several days later, this statement surfaces in an article, showing beyond any doubt that they are, quite simply, lying to the public to save face and gain time. As much as I am not a rabid Microsoft hater, this pissed me off more than a bit. Never attribute to malice what can be explained by incompetence. Most likely what happened is the left hand (PR) didn't know what the right hand (secure@) was doing. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MSIE srcname property disclosure
On Mon, Nov 08, 2004 at 01:33:17PM -0600, Paul Schmehl wrote: Never attribute to malice what can be explained by incompetence. Most likely what happened is the left hand (PR) didn't know what the right hand (secure@) was doing. suppose your logic were right. so, when m$ pr talk, they don't know what the rest of the evil empire is doing. but what is the explanation if the m$ pr refuse to talk - as in the case several hundred planes circling above a city ? -- where do you want bill gates to go today? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MSIE srcname property disclosure
On Mon, 8 Nov 2004, Paul Schmehl wrote:
[ Moderators - feel free to kill this ]
Never attribute to malice what can be explained by incompetence. Most
likely what happened is the left hand (PR) didn't know what the right
hand (secure@) was doing.
Highly unlikely; Microsoft Security Response is a team that, among other
things, manages and handles security response, including security-related
PR-esque functions (ever seen 'security evangelist' job postings on the
net?). The quote is fairly specific, so I doubt it could be spawned by a
lone PR drone who did not check with them.
--
- bash$ :(){ :|:};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--- 2004-11-08 21:35 --
http://lcamtuf.coredump.cx/photo/current/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MSIE srcname property disclosure
Dave Aitel wrote: This is another reason why studies comparing Microsoft's security to Open Source security are always bizzare. They compare the entire set of Linux vulnerabilities to a tiny subset of the bugs Microsoft knows about, but pretends other people don't. WINS is a classic example. Actually, I personally have nothing against MS. They succeeded where many failed. Good for them! Their bad attitude and bloody competitive nature can hardly be blamed in the world they compete in... and their corporate culture.. it's their own problem. So where do I blame them? I blame them in how they treat me; - They have released vague and mind-boggling advisories (where do I start?). - They don't advertise most of their security issues (remember defcon a couple of years back with the CoDC and their we already use that computer name? issue? MS refused to give credit because they were already aware of the issue). - They hide security patches inside other patches (so much that the best way to find Windows vulnerabilities is to do reversing on their patches). - They pre-patch products and for that reason hold on patches until such products are out (XP SP2). - They insist on dealing with trouble by either ignoring it or killing it by applying a band-aid (I'll give only one example: winnuke and closing the port). And don't even get me started on viruses (all the way back through macro viruses and beyond). I don't envy, hate or mock Microsoft. I actually appreciate what they have accomplished. I have a serious issue with their way of doing business with non-competition - the way they treat me as a security professional. All the above, is naturally, only my personal opinion. I may have some of the details not 100% accurate, but I stand by the spirit of the words. I tried and start a good-natured FACTUAL discussion on the subject in the past - but all the kiddies always jump up and yell. In this case, even some of my best friends enter the yelling criteria. Oh.. and any idea why MS keeps adding caches on caches on caches to solve problems? It turns me crazy. Which reminds me of a similar discussion on a list I own a bit back. Someone asked why IE keeps checking a certain Windows game - it was turning him crazy. So the Managing Director of a big disassembler/debugger company offered to make it a surprise discount on the order forms if someone wrote the name of the game there. It was hilarious. :o) That's the best you will see out of me on religion. I decide to comment on such issues about twice a year. Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
