lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87e395c80610290113i5a3d7fdfk5402ba3a279b490@mail.gmail.com>
Date: Sun, 29 Oct 2006 16:13:07 +0800
From: "LIUDIEYU dot COM" <liudieyu.com@...il.com>
To: Full-Disclosure@...ts.grok.org.uk, NTBugtraq@...tserv.ntbugtraq.com
Subject: Fwd: IE7 is a Source of Problem - Secunia IE7
	Release Incident of October 2006

fulldisclosure and ntbugtraq added, also available on my blog.

---------- Forwarded message ----------
From: LIUDIEYU dot COM <liudieyu.com@...il.com>
Date: Oct 29, 2006 1:50 AM
Subject: Re: IE7 is a Source of Problem - Secunia IE7 Release Incident
of October 2006
To: Reversemode <advisories@...ersemode.com>
Cc: Securityfocus <bugtraq@...urityfocus.com>


If you have read "IE7 is a Source of Problem - Secunia IE7 Release
Incident of October 2006" then please ignore this message for in it I
offer no further view on this topic. A gentleman has chanllenged me
with several questions on bugtraq and as an old-fashioned Chinese man
it is impolite to avoid answering in such circumstances.

Sorry for the delay caused not thru my fault, Mister Reversemode, here
is my reply to your question marks:

Q1 I assume that bugtraq is an objective security list. Subjective
opinions? I do not think so.
A1 I just heard you said "From a security researcher standpoint", "So
let's imagine", "What would happen if you have to" blah blah, etc.
"objective"? You are not confused with these two jectives are you?

Q2 From a security researcher standpoint, the important thing is where
the flaw is located, since your products/company could be exposing the
flawed component through a bunch of attack vectors. So let's imagine
that Microsoft had released an advisory just saying that the culprit
is Internet Explorer ONLY. It wouldn't be very funny if you are using
that mhtml component within your own product, since you would think:
"Ok, no problem, IE is vulnerable ONLY". What would happen if you have
to write down a vulnerability report on it?
A2 "What would happen" ... honestly I don't know. Per your request as
"bugtraq is an objective security list", can you name one example
product other than IE that demonstrates "using that mhtml component"
"wouldn't be very funny"?

Q3: Attack vectors != vulnerabilities For example, is a vuln within
the Quicktime Browser plugin the same that a flaw within the own IE? I
don't think so. I am not defending Microsoft. I am defending that
every vendor/researcher should release proper advisories, i.e (...)
A3: In this specific "For example" case you don't have to defend
Microsoft. It's Apple who need your defense, if hopefully it involves
something not Apple branded.

Mister Reversemode, you have further concerns to express publicly over
bugtraq regarding this topic brought up by me, you are welcome to ask
me and I'll reply accordingly, but you do understand I might not be
available for a 3rd reply to your message.

Liu Die Yu
28 OCT 06

On 10/28/06, Reversemode <advisories@...ersemode.com> wrote:
> >"Let me sum up: in this case IE is vulnerable, only IE is vulnerable,
> > and Microsoft say "These reports are technically inaccurate: the issue
> > concerned in these reports is not in Internet Explorer 7 (or any other
> > version) at all".
>
> I assume that bugtraq is an objective security list. Subjective
> opinions? I do not think so.
>
> If you post saying "X" product is vulnerable, you should be able to
> demonstrate it. From a security researcher standpoint,  the important
> thing is where the flaw is located, since your products/company could be
> exposing the flawed component through a bunch of attack vectors.
> So let's imagine that Microsoft had released an advisory just saying
> that the culprit is Internet Explorer ONLY. It wouldn't be very funny if
> you are using that mhtml component within your own product, since you
> would think: "Ok, no problem, IE is vulnerable ONLY". What would happen
> if you have to write down a vulnerability report on it?.
>
> Btw, you have censored an important part of the original "advisory" for
> your own profit :
>
> ----
> >"Let me sum up: in this case IE is vulnerable, only IE is vulnerable,
> > and Microsoft say "These reports are technically inaccurate: the issue
> > concerned in these reports is not in Internet Explorer 7 (or any other
> > version) at all" -> "Rather, it is in a different Windows component,
> specifically a component in Outlook Express. While these reports use
> Internet Explorer as a vector the vulnerability itself is in Outlook
> Express"
> "
> ----
>
> Attack vectors != vulnerabilities
>
> For example, is a vuln within the Quicktime Browser plugin  the same
> that a flaw within the own IE? I don't think so.
>
> I am not defending Microsoft. I am defending that every
> vendor/researcher should release proper advisories, i.e When Microsoft
> hid information in a security bulletin  few months ago,( NtClose
> DeadLock issue/MS06-30), I posted to the list  objective technical
> details demonstrating it. If you have technical details demonstrating
> that a shared component is not the culprit, but IE does, I'll shut up
> myself. Frankly, I only trust in technical reasoning, I don't mind who
> is the vendor.
>
> Regards,
> Rubén.
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ