lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20040212025143.XVFM322971.fep04-mail.bloor.is.net.cable.rogers.com@BillDell>
From: full-disclosure at royds.net (Bill Royds)
Subject: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption

Actually Microsoft has always had a backdoor into your machine if you use
Windows since you have a listener on the SMB ports, as well as UPnP (port
5000), so there is no extra risk there. And Eeye has had more ways to get a
backdoor than this. If you expose any computer to the Internet, you need to
assume it will be compromised at some point so don't store any information
that you don't want to see public.  

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Geo.
Sent: February 11, 2004 10:00 AM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] EEYE: Microsoft ASN.1 Library Bit String Heap
Corruption

>>Sure am glad you put that notice in there, here I was getting all hot
and bothered that you were giving people a road map to the exploit.
Here I was wondering why a security vendor would be increasing the risk
model by releasing details which will save the "bad guys" weeks of
research on the day of the patch release, giving the "good guys" even
less time to regression test this patch in their environment and
mitigate any harmful side effects.<<

Why is that such a problem when you don't seem to care that both eeye and
Microsoft have had full remote anonymous access to all your Windows systems
for the past 5 months?

Kinda handy if a vendor could just walk into your billing system to see how
much you bill each month so they could figure out how much to charge you...

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ