On 1/13/06, Peter Ferrie <[EMAIL PROTECTED]> wrote:
> [snip]
> >does any know the circumstances, in all cases, where the bug is
> >triggered or is there only speculation based upon exploit code
> >"working" against a given vulnerable implementation of the API?
>
> The triggering mechanism is well-u
Peter Ferrie wrote:
bkfsec:
The way I read what he's saying there, he's saying that you enter
malformed input and that malformed input pushes the executable code into
position to be executed...
There is no need for malformed input, though.
The description isn't great, since upon retu
[snip]
>does any know the circumstances, in all cases, where the bug is
>triggered or is there only speculation based upon exploit code
>"working" against a given vulnerable implementation of the API?
The triggering mechanism is well-understood: this incorrect record
length requirement is simply w
Back to the original subject:
[Full-disclosure] Steve Gibson smokes crack?
Does anyone know if Steve Gibson does indeed smoke crack? If Marion
Barry does, why can't he? These questions need answers! Or not,
happy friday, drink up.
-sb
On 1/13/06, eric williams <[EMAIL PROTECTED]> wrote:
> On
On 13 Jan 2006 14:31:06 -0800, Randal L. Schwartz wrote:
> > "Morning" == Morning Wood <[EMAIL PROTECTED]> writes:
>
> Morning> http://aolradio.podcast.aol.com/sn/SN-022.mp3
> Morning> claiming SetAbortProc() was a purpose placed backdoor...
>
> I've heard that WINE suffers from the same explo
On 1/13/06, Peter Ferrie <[EMAIL PROTECTED]> wrote:
> Todd Towles:
>
> >>Can anyone else verify Steve Gibson's assertion that this
> >>flaw was intentionally placed by Microsoft programmers?
>
> It's insecure-by-design, but it's working exactly as written.
> It's been in there for _15_ years, and p
> "Morning" == Morning Wood <[EMAIL PROTECTED]> writes:
Morning> http://aolradio.podcast.aol.com/sn/SN-022.mp3
Morning> claiming SetAbortProc() was a purpose placed backdoor...
I've heard that WINE suffers from the same exploit. How could
it be a microsoft "conspiracy" if WINE (implemented f
Notwithstanding the high probability that there was an unintended bug in the
intentionally planted bug. (Which bug do they patch?)
And no matter, the subject line of the thread remains true regardless.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of bkfs
>From your extremely detailed query I'd have to say the NSA. That of
course is based on nothing.
-sb
On 1/13/06, Byrne, David <[EMAIL PROTECTED]> wrote:
>
>
> Our IPS vendor is reporting a number of customers affected by large volumes
> of traffic generated by a worm. Anyone have details?
>
>
>
Todd Towles:
>>Can anyone else verify Steve Gibson's assertion that this
>>flaw was intentionally placed by Microsoft programmers?
It's insecure-by-design, but it's working exactly as written.
It's been in there for _15_ years, and ported to every version of Windows.
Windows 3.0 supports it. :-/
On 1/13/06, Byrne, David <[EMAIL PROTECTED]> wrote:
>
>
> Our IPS vendor is reporting a number of customers affected by large volumes
> of traffic generated by a worm. Anyone have details?
how about asking your IPS or providing details? perhaps someone else
should have your job.
__
Title: Worm?
Our IPS vendor is reporting a number of customers affected by large volumes of traffic generated by a worm. Anyone have details?
Thanks,
David Byrne
Corporate IT Security
EchoStar Satellite L.L.C.
720-514-5675
[EMAIL PROTECTED]
_
Jason Coombs wrote:
The Microsoft corporate entity may not be malicious in terms of
purposefully planting backdoors with knowledge and consent of Gates et
al (this assertion is of course questionable) however, individual
programmers at Microsoft have probably planted backdoors on purpose.
T
Stan wrote:
> Where does it mention some government consiracy dating back
> to the late 90's? Oh wait it doesn't... Todd chill out,
> you'll end up in cardiac ward if you're getting this worked
> over the facts. I could have said you planted the bug :-)
And perhaps I did =) I am trying to ch
bkfsec wrote:
A few incidents ("NSA" backdoor) aside, Microsoft's history with
security has been one of ineptness, not "maliciousness" per-se.
The Microsoft corporate entity may not be malicious in terms of
purposefully planting backdoors with knowledge and consent of Gates et
al (this assert
I wasn't agreeing its a conspiracy I was just saying they knew about
this being serious for a while and did nothing about until it went
public for whatever reason.
-sb
On 1/13/06, bkfsec <[EMAIL PROTECTED]> wrote:
> Stan Bubrouski wrote:
>
> >Ordinarily I'd argue, but its hard to when we find out
On 1/13/06, Todd Towles <[EMAIL PROTECTED]> wrote:
>
> Stan wrote:
> > Ordinarily I'd argue, but its hard to when we find out
> > Microsoft knew about the bug for a long time and made a
> > concious decision not to patch it even though they knew it
> > could lead to a system compromise.
>
> Also, M
On 1/13/06, Todd Towles <[EMAIL PROTECTED]> wrote:
>
> Stan wrote:
> > Ordinarily I'd argue, but its hard to when we find out
> > Microsoft knew about the bug for a long time and made a
> > concious decision not to patch it even though they knew it
> > could lead to a system compromise.
>
> Conciou
Stan Bubrouski wrote:
Ordinarily I'd argue, but its hard to when we find out Microsoft knew
about the bug for a long time and made a concious decision not to
patch it even though they knew it could lead to a system compromise.
People commented on how Microsoft put out a patch quicker than they
On 1/13/06, Todd Towles <[EMAIL PROTECTED]> wrote:
>
> Stan wrote:
> > Ordinarily I'd argue, but its hard to when we find out
> > Microsoft knew about the bug for a long time and made a
> > concious decision not to patch it even though they knew it
> > could lead to a system compromise.
>
> Also, M
On 1/13/06, Jason Coombs <[EMAIL PROTECTED]> wrote:
> Stan Bubrouski wrote:
> > Ordinarily I'd argue, but its hard to when we find out Microsoft knew
> > about the bug for a long time and made a concious decision not to
> > patch it even though they knew it could lead to a system compromise.
>
> It
Todd Towles wrote:
Austin wrote:
Can anyone else verify Steve Gibson's assertion that this
flaw was intentionally placed by Microsoft programmers?
Better yet, can anyone else verify what he is taking or mixing?
The way I read what he's saying there, he's saying that you enter
ma
Stan Bubrouski wrote:
Ordinarily I'd argue, but its hard to when we find out Microsoft knew
about the bug for a long time and made a concious decision not to
patch it even though they knew it could lead to a system compromise.
It's hard to imagine anything other than conscious and willful
pres
Stan wrote:
> Ordinarily I'd argue, but its hard to when we find out
> Microsoft knew about the bug for a long time and made a
> concious decision not to patch it even though they knew it
> could lead to a system compromise.
Also, Microsoft must have made the concious decision to have it not
Stan wrote:
> Ordinarily I'd argue, but its hard to when we find out
> Microsoft knew about the bug for a long time and made a
> concious decision not to patch it even though they knew it
> could lead to a system compromise.
Concious decision? So you are in the Microsoft meetings? Do
tell...d
Ordinarily I'd argue, but its hard to when we find out Microsoft knew
about the bug for a long time and made a concious decision not to
patch it even though they knew it could lead to a system compromise.
People commented on how Microsoft put out a patch quicker than they
usually would but this is
Austin wrote:
> Can anyone else verify Steve Gibson's assertion that this
> flaw was intentionally placed by Microsoft programmers?
Better yet, can anyone else verify what he is taking or mixing?
-Todd
___
Full-Disclosure - We believe in it.
Charter:
Can anyone else verify Steve Gibson's assertion that this flaw was
intentionally placed by Microsoft programmers?
http://www.grc.com/sn/SN-022.htm
Sune Kloppenborg Jeppesen wrote:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory
On a similair topic,
Wireless home networks; on any given day I can see/break into and use networks that are not my ssid, barring the free internet access, I have stumbled onto the fact that if a user is subscribed to a flat rate service say Vonage and they happen to use wireless for their priv
Novell SUSE Linux Enterprise Server Remote Manager Heap Overflow
iDefense Security Advisory 01.13.06
http://www.idefense.com/application/poi/display?type=vulnerabilities
January 13, 2006
I. BACKGROUND
Novell SUSE Linux Enterprise Server is a platform for open source
computing in an enterprise e
http://aolradio.podcast.aol.com/sn/SN-022.mp3
claiming SetAbortProc() was a purpose placed backdoor...
*puff*puff*
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - h
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Why require passwords? It's trivial for a malicious user to bypass it,
and inconvenient for the legitimate user at the Denny's across the
street that just wants to check their email. Of course if you are
sending customer information, or any other s
I know we all get so exited about some very complex
and ingenious hack, but sometimes the most simple
thing can be the biggest problem. So many hotels are
offering wireless network that beams out all over the
premises and even out to their parking lot. I am
surprised how many don't even require a p
I believe I saw an attempt at an exploit on the 21st of December.
A website I visit regularly and would expect to be trust worthy opened a
background tab in Opera despite the built in pop up blocker (it does
happen occasionally). I notice because Opera asked be what application I
would like to ope
www.lort.dk/DSR-farmerswife44sp1.pl says it all.
Cheers from the guys at www.lort.dk!!11 Vendor not informed, hahahaha
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
Hi,
One more mail about WMf, but ... My objective is to do a "Forensics
Analysis" about this event (WMF Threat) and understand what exactly
happened. Because something sounds strange ... for me! (And maybe only
for me ;-) )
27th dec: A guy published just a mail to Bugtraq… to show his exploit.
In
hahah yeah huh! a more detailed advisory would also be nice. this really
doesn't tell us much.
-- tom
-Original Message-
From: "Paul" <[EMAIL PROTECTED]>
Subj: RE: [Full-disclosure] Fortinet Advisory - Apple QuickTime
PlayerStripByteCounts Buffer Overflow Vulnerability
Date: Thu J
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:novell-nrm
Announcement ID:SUSE-SA:2006:002
Date:
receiving an odd email with an attached zip file called "My_Photo.zip"
containing a .jpg and a .bat that only has execution code of "My
Photo.jpg" in it. the .jpg itself looks to be an encrypted vb dll with
just the .jpg extention changed .. but im just curious as to how this
virus planned on execu
On Fri, 2006-01-13 at 10:04 +, Alla Bezroutchko wrote:
> $_SESSION['login'] = $db->getOne("SELECT login FROM users WHERE login=?
> AND secret_answer=?", array($_POST['login'], $_POST['secret_answer']));
>
> As you suggest it takes a trusted value from the database. It is still
> does not pre
There is nothing that you have provided that indicates that this is a new class of vulnerability; this is a classic state management issue. The application is designed to have a password reset function, and in order for that function to behave properly application state must be enforced.
Essent
Hello,
[EMAIL PROTECTED] wrote:
Solution : Apple Computers has released a security update for this
vulnerability, which is available for downloading from Apples's web site
under security update.
providing a link next time would be nice. Hope this one
http://www.apple.com/quicktime/do
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 940-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
January 13th, 2006
Frank Knobbe wrote:
The proposed fix is -- besides being only specific to this example --
equally flawed. The underlying issue is that you trust user supplied
data. When a user supplies a user name for login purposes, you should
only use that input to perform a search in your database. If a match
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 939-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
January 13th, 2006
45 matches
Mail list logo