| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Jun 2004 15:04:02 -0700 From: "Drew Copley" <dcopley@...e.com> To: <1@...ware.com>, <bugtraq@...urityfocus.com> Subject: RE: Microsoft and Security > -----Original Message----- > From: http-equiv@...ite.com [mailto:1@...ware.com] > Sent: Friday, June 25, 2004 11:53 AM > To: bugtraq@...urityfocus.com > Subject: Microsoft and Security <snip> > A vulnerability: > > http://www.microsoft.com/technet/archive/community/columns/securi > ty/essays/vulnrbl.mspx > > "A security vulnerability is a flaw in a product that makes it > infeasible - even when using the product properly-to prevent an > attacker from usurping privileges on the user's system, > regulating its operation, compromising data on it, or assuming > ungranted trust." > > what this gibberish? For the past 10 months the adobd.stream > object is capable of writing files to the "all important > customer's" computer. It has real world consequences. It rapes > their computer. Does it fit into the gibberish custom > definition. Plain and simple: "A security vulnerability is a > flaw in a product that makes it infeasible". What kind of > language is this. Reads like the financial department conjured > it up. LOL. Very well said... I think the point is not being pushed home, though. Ten month old vulnerability. Common denominator for all of these attacks. This latest one is using the same flaw we saw in one this past Spring. It is not the latest zero day, according to Symantec's latest paper. In fact, even they state up front "to deploy the workaround for the adodb stream issue". Workaround. This adodb stream issue - found by Jelmer - is unfixed by Microsoft. I do not know why. I suppose it fits into their competitive "motif" somehow. They like to do these sorts of things. It is a "bar lowering" vulnerability. Otherwise, these other attacks would not work. They never would have worked. The workaround kill bits the activex. There is no reason for it, not enough of one. I think some IIS systems may use it. I am sure it provides some sort of piece in their competitive marketing strategy. But, kill the dying horse already. Here is the free fix I made (ten months ago, re-released): http://www.eeye.com/html/research/alerts/AL20040610.html There is a reg file or an exe file. Whichever one prefers. We find the exe file is most handy for doing mass fixes across corporate networks. Clue, people: Likely, you have been affected by one of these holes. If you are an administrator, your domain has almost surely been affected. There is a huge market for identities. Do not be naive. > > Disabling scripting won't solve it. Putting sites in one of the > myriad of "zones' won't solve it. Internet Explorer can > trivially be fooled into operating in the less than secure so- > called "intranet zone" and it can be guided there remotely. > > What's happening here. Where is the Microsoft representative > explaining all of this to the shareholders and "customers" they > so dearly wish to protect. This is unacceptable. Someone must > be held accountable. > > > -- > http://www.malware.com > > > > > >
Powered by blists - more mailing lists