lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040701094650.A8541@ring.CS.Berkeley.EDU>
Date: Thu, 1 Jul 2004 09:46:50 -0700
From: Nicholas Weaver <nweaver@...berkeley.edu>
To: Jeremy Epstein <jeremy.epstein@...methods.com>
Cc: Anything But Microsoft <abm@...thingbutmicrosoft.org>,
	"<@securityfocus.com BUGTRAQ" <BUGTRAQ@...urityfocus.com>
Subject: Re: Microsoft technologies. By default, non-HIPAA compliant?


On Wed, Jun 30, 2004 at 01:43:11PM -0400, Jeremy Epstein composed:
> A slightly less draconian configuration might have a filtering router that
> only allows users to visit particular sites; in that case also, the IE
> problems would be of no concern (since the redirect to the Russian and
> Estonian sites could be prevented).

This would not be the case, as the trojaned sites could easily present
the malware directly, rather than contacting a third party site.  That
it didn't is simply a sign that the attacker was less clever and
creative than he could have been.  Thus all sites which can be
contacted need to be "trusted".

> The latest set of attacks demonstrate some pretty bad problems, and
> Microsoft deserves a lot of criticism.  But let's not go overboard.

A better criticism is that, yeah, QA is important, but this is a known
critical exploit for over a WEEK now and there is no patch in sight.

That the crisis hasn't bloomed further with the simple hack:

Make the malcode modify any .html it can find, and include itself on
that site for download, combined with the continual attacks on IIS
sites, banner servers, etc...

is a mystery to me.

-- 
Nicholas C. Weaver                                 nweaver@...berkeley.edu


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ