lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Multiple Vulnerabilities found in Microsoft .Net Passport Services 

On Thu, 08 May 2003 18:57:04 +1000, Steven Evans said:

> Please, can you wait until microsoft fixes your 'vulnerabilities' before you
> post.  

Well.. it's interesting.. Vulnerability number 2 (password reset) was
apparently closed down within an hour once it hit full-disclosure.  Mind you,
that's after the guys at Microsoft had been given 3 weeks - and it's been
admitted that the hole was there at least since Sept 2002, even though it
shouldn't have passed a code review (and they DID tell the FTC they'd tighten
up security, and "change a password" would seem to be where you'd START
auditing your code, right? ;)

Probably why they're facing a potential $2.2 trillion in fines. ;)

http://www.washingtonpost.com/wp-dyn/articles/A30330-2003May8.html

In any case, Muhammed Faisal Rauf Danka posted vulnerability number 2:

> From: Muhammad Faisal Rauf Danka <mfrd@...itudex.com>
> Date: Wed, 07 May 2003 19:50:51 -0700 (PDT) (22:50 EDT)

It hit the mainstream no more than 5 hours later (and the problem functions
disabled already):

> From: Michael J McCafferty <mike@...omputersecurity.com>
> Date: Thu, 08 May 2003 00:52:32 -0700 (03:52 EDT)
>
> Well, there ya go it's hit the mainstream press....
> http://news.com.com/2100-1002_3-1000429.html?tag=lh
>
> The story mentions that MS has turned off all password reset functionality 
> by now.

So finally, Qazi posts..

> Date: Thu, 08 May 2003 11:36:37 +0500
> From: Qazi Ahmed <qa@...cert.org>
> Subject: [Full-Disclosure] Multiple Vulnerabilities found in Microsoft .Net  Passport Services

After adjusting for timezones, this is only 15 minutes before McCafferty
posted that *everybody* knew - and I doubt that Microsoft turned it off,
news.com found out it was disabled and got a web page up saying that, and then
McCafferty posted here that news.com had the page, all in 15 minutes.

So I'm not at all sure what you're complaining about regarding the timing.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030510/612b28cc/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ