lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0507170951360.15236@dione>
Date: Sun Jul 17 09:24:10 2005
From: lcamtuf at dione.ids.pl (Michal Zalewski)
Subject: Compromising pictures of Microsoft Internet
	Explorer!

On Sat, 16 Jul 2005, tuytumadre@....net wrote:

> I do not mean to flame you, but you are an irresponsible disgrace to the
> hacking community.

You do mean to flame me, apparently, and constructing sentences this way
makes them unintentionally funny. Pretty much like saying "Sir, with all
due respect, you are a filthy low-life scum".

> Do you not care about the customer?

I do security research for fun. Because I mean no harm, I usually take
efforts to notify vendors in advance, or release advisories that are of
more value to those who want to fix problems, than to those exploiting
them. The latter is the case here. The former isn't, because I had a poor
experience with the vendor.

That about sums up my philosophy. No, I do not particularly care about
Microsoft customers - Microsoft should.

> I firmly believe that you are decieving us when you say you had a hard
> time with secure@...rosoft.com; in fact, I don't even think that you
> have ever once in your life reported a vulnerability to them
> responsibly.

I did, a couple of times. In fact, if you had gone through the effort of
actually using a search engine, you would find out that I did coordinate
some stuff with them.

It is my experience, however, that they require you to:

  1) Prove them beyond any doubt that a particular issue is exploitable;
     they seem to be doing this not to fully comprehend the threat, but
     to see if you are not absolutely certain on all the phases of the
     attack, and then exploit the benefit of doubt. You need to either:

     a) Debug their code in great detail and explain the execution path
     that leads to this, along with an explanation why overwriting an
     arbitrary byte in memory might cause problems,

     b) Provide an exploit that works for them (and be sure it also
     works on SP2, or they will come up with ridiculous recommendations
     - look up the Bofra IFRAME stuff),

     c) Find a bug that is so patently obvious it hurts (stack buffer
     overflow, for example).

     If you fail to do that, they - in my opinion - use this to downplay
     the issue. Look up how many times Microsoft considered something to
     be less critical than the researcher would believe it to be - and
     were proved wrong by having exploits developed later on. How
     often does the opposite happen?

  2) Wait forever for them to release a patch. Frankly, I see no reason
     why a multi-billion dollar company with so many customers at risk
     would need to take more than a week or two to develop, test and
     release trivial fixes.

  3) Most insidious - if you happen to work for a company that depends on
     Microsoft in one way or another (for example, to recommend, bundle,
     or just not break your products), when you disagree with them, I
     seem to recall they would take an opportunity to give you a friendly
     reminder it would be "unwise" not to agree in your advisory.

All this, combined with the general disregard for the customer who does
not immediately vote with his money (lacking viable options makes this
hard; if you're looking for real-world examples, how long it took
Microsoft to release goddamn patches after Bofra went loose?!), makes me
somewhat less interested in investing several weeks into this type of
cooperation.

/mz
http://lcamtuf.coredump.cx/silence/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ