lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040915145933.5968615F53C@mail.ngssoftware.com>
Date: Wed, 15 Sep 2004 16:42:39 +0100
From: "David Litchfield" <davidl@...software.com>
To: "'advisories'" <advisories@...saire.com>,
	<bugtraq@...urityfocus.com>
Subject: RE: Correction to latest Colsaire advisories


>The Corsaire research project produced test cases for around 200 working
>attack vectors, that when passed through the top 10 content products
>produced over 800 individual vulnerabilities (needless to point out that
>there are a lot more than 10 products in this arena).

Not wanting to quibble, but looking for clarification:

The associated UNIRAS advisory
(http://www.uniras.gov.uk/vuls/2004/380375/mime.htm) lists the responses
from various vendors with regards to these issues. I presume that these are
nine of the "top 10 content providers". Vendors include:

Apple, F-Secure, Fujitsu, HP, IBM, MessageLabs, Mozilla and ripMIME.

Only ripMIME and F-Secure (Server products affected, workstation products
fine) claim to have been found wanting. The remainder clearly state that
their products, when put through the test suite, were _not_ found to be
vulnerable.

How does this translate to the figures you're talking about? I ask this to
better understand the risk. Is this something everything else should be
dropped for and this prioritized? From the UNIRAS advisory I'd assume not,
unless of course you use F-secure servers or ripMIME, and, at the moment, it
all seems a bit like a storm in a teacup.

I also note that Microsoft was not listed as a vendor that responded. Were
their products tested and if so what were the results?

Cheers,
David Litchfield
NGSSoftware Ltd
http://www.nextgenss.com/
http://www.databasesecurity.com/
+44(0)1334 470 027










Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ