lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3E384590.1010705@thievco.com>
From: BlueBoar at thievco.com (Blue Boar)
Subject: Re: Full Disclosure != Exploit Release

Paul Schmehl wrote:
> I've read this mantra over and over again in these discussions, and a
> question occurs to me.  Can anyone provide a *documented* case where a
> vendor refused to produce a patch **having been properly notified of a
> vulnerability** until exploit code was released?

It might not meet your exact criteria, but here's one I recall:

On Win9x, if you share out a printer, it creates a printer$ share which 
points to your system directory (read-only, of course.)  The purpose is so 
that other Win9x boxes can auto-download drivers when they connect to the 
share.  It was pointed out to Microsoft that there is potentially all kinds 
of interesting info that can be had by an attacker.  Microsoft decided it 
wasn't important to fix.

A bit after this was under public discussion, I attended the first 
NTBugtraq conference/party thingy.  A couple of the Microsoft security guys 
were there, and we got to discussing it.  I asked if they planned to fix 
it, they said no.  They said there's nothing exploitable.  I pointed out 
that I could go through the system directory and determine things like 
exact patch levels, software installed, etc... They said they didn't think 
it was important enough.  The fix would have been to create another 
directory for printer drivers, and share that out instead.

The MS security guys basically said that if someone could demonstrate a 
significant problem, they'd take another look at it.  In other words, show 
them an exploit, or they wouldn't fix it.  Everyone knew it was risky, and 
just waiting  for someone to come up with an interesting use for the hole. 
  It was never patched (AFAIK), and that was several years ago.

					BB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ