| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: fulldisclose at uuuppz.com (James Martin) Subject: it's all about timing I think many if not most of us on this list who have produced advisories/exploits have experienced the fustration associated with the response from some vendors. I had to explain how serious a buffer overflow was to the author of mIRC, after several emails the vendor agreeded to fix the problem in the next version. At this time my exploit writing skills were in their infancy, I did not have a working exploit so I accepted this. Two months later (I had got distracted by real work et al) I produced a working exploit and informed the vendor. It was another two months before the vendor provided a fix, I waitted until they released it before I released my exploit code. The new release was a major version upgrade, as you can imagine this felt like they had played me to keep their existing development schedule. Of course I cannot accuse them of this, but it certainly felt like they had. To this day they have not publically acknowledged the existance of the hole in all versions prior to 6.00. However Dalnet, IRCNet and many other networks all have warnings advising users to upgrade. Also it was covered by news.bbc.co.uk, newsbytes.com, cnet and many other news sites. I cannot understand their reasons for this, they obviously feel publically admitting their mistake and giving there users a strong warning to upgrade is not good PR. I estimate still nealry 50% of mirc users are running v5.91 and lower. This figure was attained from a CTCP version of #chatzone on dal.net. This is after 3 versions being released sequentially since the disclosure. I personally don't feel the vendor has made an appropriate effort to protect its userbase. On top of this, I was astonished at how so many people assumed that because my proof of concept code only lauched calc.exe, this wasn't a dangerous hole! I'm seriously considering making my next do "command /c deltree /Y c:\program files" (joke) :P, you have highlight the seriousness of the hole. Its amazing how blatent it seems you need to be. I can't imagine releasing an advisory without working exploit code. In summary, I don't know the full circumstances with this Tru64 exploit but it seems the hole should have been fixed by HP and they are just trying to stifle efforts to get them to fix it. I wonder how long it will take for a fix to arrive now? (or has it already?). I'd much prefer working exploit code, and an opertunity to fix any system under my control which would be effected, than secrecy a with the chance that someone else has wirtten an exploit which is circulating in the underground. Regards James ----- Original Message ----- From: "Dave Killion" <Dkillion@...screen.com> To: <full-disclosure@...ts.netsys.com> Sent: Wednesday, July 31, 2002 10:59 PM Subject: RE: [Full-Disclosure] it's all about timing > Florin, > > I agree with you completely. From what I understand this vulnerability is > about a year old, although I'm not knowledgeable enough to say that with > authority. If it's true, then I believe the 2-4 week requirement has been > satisfied. > > -Dave > > *************************** NOTICE ************************** > Opinions expressed in this email are solely my own, and do > not reflect the attitudes, policy, or opinion of my employer. > ************************************************************* >
Powered by blists - more mailing lists