lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 24 Sep 2004 16:59:00 +0100
From: "advisories" <advisories@...saire.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Correction to latest Colsaire advisories



# This has been re-sent several times in the last week, but for whatever
reason, my email hasn't been getting to the bugtraq list.

> I presume that these are nine of the
> "top 10 content providers".

Actually, no. Our internal testing covered a limited collection of what we
considered the most prevalent enterprise products. When it became clear that
the issues were widespread, we brought NISCC in to coordinate passing out a
set of canned test tools to all the MIME related vendors they could find
(anecdotally, I think this was something like 100+).

We obviously have the results of our own testing (which is where the stats
come from), but the other vendors have been invited to make their own
declaration as to the outcome of the test tools. Needless to say the
statements provided so far are somewhat sparse; the only vendor from our
original test set to make a statement is F-Secure.

> I also note that Microsoft was not listed as a vendor that responded.
> Were their products tested and if so what were the results?

Yes, they were tested. Yes, they have chosen not to make a public statement.
I personally don't know why this may be so. Perhaps you could ask them? ;)

The release model for these vulnerabilities has been the best compromise of
what is a difficult situation. Releasing as individual advisories (or
per-product clumps) was never going to be ideal; both because of the volume
and because earlier public releases expose information about products that
come later in the process. The solution chosen was to pick a date far-off in
the future, to provide the vendors with all the information they needed to
replicate the issues, and then to allow them to make their own public
statements as to compliance. Effectively the same model as the SNMP issues
from a few years ago.

History may prove this not to be ideal, and a better model may be needed.

Regards,
Martin O'Neal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ