| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.58.0507170951360.15236@dione>
Date: Sun Jul 17 09:24:10 2005
From: lcamtuf at dione.ids.pl (Michal Zalewski)
Subject: Compromising pictures of Microsoft Internet
Explorer!
On Sat, 16 Jul 2005, tuytumadre@....net wrote:
> I do not mean to flame you, but you are an irresponsible disgrace to the
> hacking community.
You do mean to flame me, apparently, and constructing sentences this way
makes them unintentionally funny. Pretty much like saying "Sir, with all
due respect, you are a filthy low-life scum".
> Do you not care about the customer?
I do security research for fun. Because I mean no harm, I usually take
efforts to notify vendors in advance, or release advisories that are of
more value to those who want to fix problems, than to those exploiting
them. The latter is the case here. The former isn't, because I had a poor
experience with the vendor.
That about sums up my philosophy. No, I do not particularly care about
Microsoft customers - Microsoft should.
> I firmly believe that you are decieving us when you say you had a hard
> time with secure@...rosoft.com; in fact, I don't even think that you
> have ever once in your life reported a vulnerability to them
> responsibly.
I did, a couple of times. In fact, if you had gone through the effort of
actually using a search engine, you would find out that I did coordinate
some stuff with them.
It is my experience, however, that they require you to:
1) Prove them beyond any doubt that a particular issue is exploitable;
they seem to be doing this not to fully comprehend the threat, but
to see if you are not absolutely certain on all the phases of the
attack, and then exploit the benefit of doubt. You need to either:
a) Debug their code in great detail and explain the execution path
that leads to this, along with an explanation why overwriting an
arbitrary byte in memory might cause problems,
b) Provide an exploit that works for them (and be sure it also
works on SP2, or they will come up with ridiculous recommendations
- look up the Bofra IFRAME stuff),
c) Find a bug that is so patently obvious it hurts (stack buffer
overflow, for example).
If you fail to do that, they - in my opinion - use this to downplay
the issue. Look up how many times Microsoft considered something to
be less critical than the researcher would believe it to be - and
were proved wrong by having exploits developed later on. How
often does the opposite happen?
2) Wait forever for them to release a patch. Frankly, I see no reason
why a multi-billion dollar company with so many customers at risk
would need to take more than a week or two to develop, test and
release trivial fixes.
3) Most insidious - if you happen to work for a company that depends on
Microsoft in one way or another (for example, to recommend, bundle,
or just not break your products), when you disagree with them, I
seem to recall they would take an opportunity to give you a friendly
reminder it would be "unwise" not to agree in your advisory.
All this, combined with the general disregard for the customer who does
not immediately vote with his money (lacking viable options makes this
hard; if you're looking for real-world examples, how long it took
Microsoft to release goddamn patches after Bofra went loose?!), makes me
somewhat less interested in investing several weeks into this type of
cooperation.
/mz
http://lcamtuf.coredump.cx/silence/
Powered by blists - more mailing lists