| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dotslash at snosoft.com (KF) Subject: Microsoft Cries Wolf ( again ) It only takes 30 seconds to type an email saying.... hey thanks for taking the time to let us know... we will get back to you. The no call no show's (not replying to security related emails) are BS for lack of better word. Not even acknowledging an issue is a far cry from trying to work out a fix. Alot of vendors can't even do that without you yanking a few teeth out. I am also sick of seeing vendors downplay issues by calling them "potential" or "denial of service". as an example... http://archives.neohapsis.com/archives/tru64/2002-q3/0019.html heres me *potentially exploiting the issue* bash-2.05a$ id uid=201(dotslash) gid=15(users) groups=0(system) bash-2.05a$ ./TRU64_su # id uid=0(root) gid=15(users) groups=15(users),0(system) or http://xforce.iss.net/xforce/xfdb/7157 and http://www.blacksheepnetworks.com/security/hack/linux/squid.c What part of me taking a root shell as a local user is a potential issue... and what part of me taking remote uid nobody intails a Denial of service attack... yeah the abuser may have crashed the service while trying to exploit the issue but that hardly qualifies denial of service as the impact of the bug. As a side note the three letter company I spoke about earlier today has since gone above and beyond at attemting to rectify the communications problem we had earlier. Thanks to those of you that helped out. -KF dhtml@...h.com wrote: > While there is some argument about what makes a vendor un-responsive, > patch > times in this case are, likely and understandably, quite lengthy. These > fixes are not trivial to begin with, thanks in no small part to the > incredible number of customers Microsoft has. As if the literally > millions > of configurations Microsoft software must support weren't enough, think > for > a second about the multiple different character sets its code applies > to. > Even the *DOCUMENTATION* for the patch must be translated into dozens > of > different languages -- no small task with exploitation looming on the > horizon. However, it is obvious that in this case, the reporter did > not > attempt any contact with Microsoft what-so-ever. > > ///////// > > This is not my problem. I DON'T CARE! > > That's your company and you do with it as you see fit. Whether you want > to make 1 million versions of your product in order to grab every possible > market share, so be it. > > You'd better be damn sure that what you make works otherwise if you throw > it out there and it breaks, some one has to pay. > > Why not make one quality product instead of hundreds of flawed ones? > > That's right! It's your company and you do with it as you see fit! Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists