lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: pdt at jackhammer.org (Paul Tinsley)
Subject: EEYE: Microsoft ASN.1 Library Bit String Heap
 Corruption

Geo. wrote:

>>>Sure am glad you put that notice in there, here I was getting all hot
>>>      
>>>
>and bothered that you were giving people a road map to the exploit.
>Here I was wondering why a security vendor would be increasing the risk
>model by releasing details which will save the "bad guys" weeks of
>research on the day of the patch release, giving the "good guys" even
>less time to regression test this patch in their environment and
>mitigate any harmful side effects.<<
>
>Why is that such a problem when you don't seem to care that both eeye and
>Microsoft have had full remote anonymous access to all your Windows systems
>for the past 5 months?
>
>Kinda handy if a vendor could just walk into your billing system to see how
>much you bill each month so they could figure out how much to charge you...
>
>  
>
If we skip over the whole legitimate companies doing very illegal things 
point of view and skip right to you jumping to the conclusion that I 
don't care about speedy resolution of problems.  Resolution of 
vulnerabilities is not the same thing as technical detail _disclosure_ 
of details about the vulnerability.  I was very vocal about not agreeing 
with Microsoft moving to a month long patch cycle.  I want fixes as they 
are available so I can get to work fixing the holes as soon as 
possible.  I still believe there should be bulletins posted with details 
that there is a hole and a fix available.  But full detail bulletins 
should lag the initial release of the patch by some number of weeks/months.

As far as Eeye having a stockpile of Microsoft vulnerabilities and I 
would assume lab code that can exersize them, doesn't bother me as much 
as some cred whore leaking it to all his buds just to gain more street 
cred.  At least that was my impression, before Eeye started doing 
GOBBLES style bulletins with rap excerpts in them...

Thanks,
    Paul Tinsley

>Geo.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ