lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: geoincidents at getinfo.org (Geo.)
Subject: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption

>>Resolution of vulnerabilities is not the same thing as technical detail
_disclosure_ of details about the vulnerability.<<

Ok they are not the same but it is the _details_ that are important, we
aren't taking about point and click PoC code, we are talking about details
of the flaw. This is a library function, so how do you know what else it
might affect or if other libraries on other OS may have the same (remember
POD?) sort of issues?

>>But full detail bulletins should lag the initial release of the patch by
some number of weeks/months.<<

But then nobody else who has a similar product or uses the same library but
maybe not the specific function can tell if their product also requires an
update, so you want to set them back by a number of weeks/months? You are
assuming that a vulnerability affects only one vendor but by doing so you
may be slowing down the release of patches for other products can also be
affected.

>>As far as Eeye having a stockpile of Microsoft vulnerabilities and I
would assume lab code that can exersize them, doesn't bother me as much<<

If you were in competition with Microsoft on some Windows product, would
Microsoft constantly having multiple backdoors to any of your systems worry
you?

Geo.


Powered by blists - more mailing lists