Date: Wed, 15 Sep 2004 09:15:05 +0100
From: "advisories" <advisories@...saire.com>
To: <bugtraq@...urityfocus.com>
Subject: Re: Correction to latest Colsaire advisories


Rather than cross posting stuff verbatim from full-disclosure (it's there
for anyone who wants to read it), in summary:

At the time the research was conducted (August 2003) Corsaire looked around
for as much information as possible prior to commencing. There were a number
of individual MIME issues around, but most were single-product
vulnerabilities. The 3APA3A white paper has existed since at least February
2002, but was not encountered at the time. It has been recently updated to
include the latest information, but even so, details only a small subset of
the test cases provided as part of the Corsaire research. If anyone were to
claim that the 3APA3A white paper is in any way complete, fully researched
and definitive, it would simply be untrue

The Corsaire research project produced test cases for around 200 working
attack vectors, that when passed through the top 10 content products
produced over 800 individual vulnerabilities (needless to point out that
there are a lot more than 10 products in this arena).

When we approached Mitre in regard to organising CVE numbers, it was clear
that there were far too many issues to allocate individually, so it was
agreed to pursue the same route as the SNMP issue from several years ago
(http://www.cert.org/advisories/CA-2002-03.html) and group them into
manageable chunks; this is what produced the broad category based
advisories. The use of the categories then isn't an attempt to assume credit
for anyone else's work (if such exists), but to manage the volume of issues
identified.

Regards,
Martin O'Neal
Technical Director - Colsaire

Powered by blists - more mailing lists