lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060709043105.65980.qmail@web55904.mail.re3.yahoo.com>
Date: Sat, 8 Jul 2006 21:31:05 -0700 (PDT)
From: Web Ex <exwebex@...oo.ca>
To: Mark Litchfield <"[mark"@ngssoftware.com>,
	UNEXPECTED_DATA_AFTER_ADDRESS@...NTAX-ERROR
Cc: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
	sec-adv@...unia.com
Subject: RE: WebEx Downloader Plug-in Multiple Vulnerabilities + rant


*498 days to fix an arbitrary code vulnerability
*Silently fixing buffer overrun vulns without releasing an advisory (http://xforce.iss.net/xforce/alerts/id/226, in "Additional Information" section)
 
Hmph. Wow.
 
I wonder if they kill-bitted older versions >>>hehehe  ;-)
 
I ran across at least some of the same issues reported in early 2005 as well (didn't bother to report them though).  All I can say is swiss-cheese for the stuff I looked at, what's a better word when you spend 30 minutes looking at a product and come up with a half dozen or so high impact flaws.
 
________________________________________
From: Mark Litchfield
Sent: Friday, July 07, 2006 9:58 AM
To: bugtraq@...urityfocus.com; vulnwatch@...nwatch.org; sec-adv@...unia.com
Subject: WebEx Downloader Plug-in Multiple Vulnerabilities + rant
 
All these vulnerabilities were reported to WebEx by NGS Software back on the
24th February 2005 along with some other issues.
 
The current Director of the X-Force new about these issues as at the time of
their discovery, he worked with NGS.
 
Seeing as I'm the subject, here is another example whereby I found a bug (in
Skype) except Pentest-Limited were credited with it's discovery -
http://www.theregister.co.uk/2005/10/25/skype_vuln/  An extract from an
email below from Kurt Sauer (Security Operations / Skype Technologies),
shows that Mark Rowe of Pentest Ltd for some unknown reason had access to my
email sent to Kurt.
 
In reviewing our mail archives, I see that you *DID* report the vuln (the
VCARD aspect) to us -- to ME, directly -- before Mark Rowe did.  However, I
(gulp) mishandled the e-mail.
 
As you surmised, it appears that Mark Rowe read that mail and found another
instantiation of the same bug, namely the handling of the command-line
parameters.
 
Completely my fault on that.  It will take one "push" cycle (typically less
than a day) to get a correction posted, but I will both correct our
announcement and also redistribute it with corrected attribution.
 
I should have asked you to CC security@...pe.net on the actual vuln report,
because mail sent to that address is read by more than just me.
 
Importantly, I am going to hire a dedicated incident manager (as fast as
our hiring practices will allow) so that there is someone spending full
workdays just handing inbound messages on this topic.

Could never be bothered before to make an issue of it.  But to sit on a
large number of flaws in a vendors software product for 498 days and see
other companies credited is a tad annoying :)
 
All the best
 
Mark Litchfield


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ