lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FCAD9F541A8E8A44881527A6792F892C256F9C@owa.eeye.com>
From: dcopley at eEye.com (Drew Copley)
Subject: RE:  Microsoft and Security

> -----Original Message-----
> From: http-equiv@...ite.com [mailto:1@...ware.com] 
> Sent: Friday, June 25, 2004 11:53 AM
> To: bugtraq@...urityfocus.com
> Subject: Microsoft and Security

<snip>

> A vulnerability:
> 
> http://www.microsoft.com/technet/archive/community/columns/securi
> ty/essays/vulnrbl.mspx
> 
> "A security vulnerability is a flaw in a product that makes it 
> infeasible - even when using the product properly-to prevent an 
> attacker from usurping privileges on the user's system, 
> regulating its operation, compromising data on it, or assuming 
> ungranted trust."
> 
> what this gibberish? For the past 10 months the adobd.stream 
> object is capable of writing files to the "all important 
> customer's" computer. It has real world consequences. It rapes 
> their computer. Does it fit into the gibberish custom 
> definition. Plain and simple: "A security vulnerability is a 
> flaw in a product that makes it infeasible". What kind of 
> language is this. Reads like the financial department conjured 
> it up.

LOL. Very well said...

I think the point is not being pushed home, though.

Ten month old vulnerability. Common denominator for all of these
attacks. This latest one is using the same flaw we saw in one
this past Spring. It is not the latest zero day, according to
Symantec's latest paper.

In fact, even they state up front "to deploy the workaround for
the adodb stream issue". Workaround. 

This adodb stream issue - found by Jelmer - is unfixed by Microsoft.

I do not know why. I suppose it fits into their competitive "motif"
somehow. They like to do these sorts of things.

It is a "bar lowering" vulnerability. Otherwise, these other attacks
would not work. They never would have worked. 

The workaround kill bits the activex. There is no reason for it,
not enough of one. I think some IIS systems may use it. I am sure
it provides some sort of piece in their competitive marketing
strategy. But, kill the dying horse already.

Here is the free fix I made (ten months ago, re-released):
http://www.eeye.com/html/research/alerts/AL20040610.html

There is a reg file or an exe file. Whichever one prefers. We 
find the exe file is most handy for doing mass fixes across 
corporate networks.

Clue, people: Likely, you have been affected by one of these
holes. If you are an administrator, your domain has almost
surely been affected.

There is a huge market for identities. Do not be naive.



> 
> Disabling scripting won't solve it. Putting sites in one of the 
> myriad of "zones' won't solve it. Internet Explorer can 
> trivially be fooled into operating in the less than secure so-
> called "intranet zone" and it can be guided there remotely.
> 
> What's happening here. Where is the Microsoft representative 
> explaining all of this to the shareholders and "customers" they 
> so dearly wish to protect.  This is unacceptable.  Someone must 
> be held accountable.
> 
> 
> -- 
> http://www.malware.com
> 
> 
> 
> 
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ