[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <43A0D0AD.4060903@kc.rr.com>
Date: Thu Dec 15 02:11:01 2005
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: iDefense Security Advisory 12.14.05: Trend
Micro ServerProtect relay.dll Chunked Overflow Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
labs-no-reply@...fense.com wrote:
> Matt,
>
> We don't disagree with you. The vulnerability lies in the Microsoft
> Foundation Classes (MFC) static libraries. Trend Micro also acknowledges
> this in their response. Unfortunately, Trend Micro's product
> distributions are vulnerable since they ship with the old static libraries.
>
> Michael Sutton
> Director, iDefense Labs
That's all well-and-good. I see two problems with this, only one of
which deals with iDefense:
1. iDefense was sloppy about fact-checking and crediting prior reports.
If it surfaces that a vulnerability is a rediscovery of an unfixed
issue from a prior report, at least mention the prior report.
Particularly when you're buying/selling this as original research, it
makes iDefense look bad.
2. I'm betting that the reason why nobody at Trend paid more attention
than they did is because of the horrendous misdocumentation of the
service pack's fixes by Microsoft. The only thing that has to do with
your report is that it makes the rediscovery of the issue more blatant.
It seems my post has been taken as more hostile toward iDefense than was
intended. I'll say now that the majority of the blame for the fact this
was rediscovered in the first place lies squarely with Microsoft for its
spectacularly bad job of managing this vulnerability. Had Microsoft
taken the initiative to actually inform customers that a hole existed
when it released Service Pack 6 for Visual Studio 6.0 (or chosen a more
effective delivery vehicle), I have no doubt that a company the size of
Trend would have been much less likely to be caught off guard.
- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."
-- Michael Holstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDoNCsfp4vUrVETTgRAxsHAJ45XwlzkUr1y1T+EceGK8DB9Ul1egCfSXIy
YdHjZR1Kgc//4JTWCJMsSqA=
=cX5b
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051214/0ab02e3e/smime-0001.bin
Powered by blists - more mailing lists