lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5AC65C46BD545547A935EF128D25F7C92ACC99C3@TK5EX14MBXC283.redmond.corp.microsoft.com> Date: Sat, 14 Dec 2013 20:25:45 +0000 From: Microsoft Security Response Center <secure@...rosoft.com> To: 'Pedro Luis Karrasquillo' <peter_toyota@...mail.com>, "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: <b>Where are you guys standing re: the (full) disclosure question?</b> Microsoft takes security vulnerability reports at secure@...rosoft.com, as Dieyu mentioned on Friday. -----Original Message----- From: Full-Disclosure [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Pedro Luis Karrasquillo Sent: Friday, December 13, 2013 9:04 PM To: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] <b>Where are you guys standing re: the (full) disclosure question?</b> Ok. Connect.microsoft.com is not accepting Server 2k8 DNS bugs, and I did not find a specific place in TechNet to report either. Felt like going in circles between MS Contact Us page and the connect.microsoft.com. Maybe you are right, I may lack a certain level of patience... Went ahead and started a chat session with MS support. It went like this: ------------------------- General Info Chat start time Dec 13, 2013 11:34:07 PM EST Chat end time Dec 13, 2013 11:46:23 PM EST Duration (actual chatting time) 00:12:15 Operator Germaine Chat Transcript info: Please wait for an agent to respond. You are currently '1' in the queue. info: Privacy Statement You are now chatting with 'Germaine'. Germaine: Thank you for contacting Microsoft Customer Service chat. This chat service is designed to assist you with site navigation, technical support case submission, and customer service questions. Germaine: If you need technical support, I can provide you with your support options or help you submit your case to the appropriate support professional who can work with you to resolve your issue. Germaine: How may I help you, Pedro? pedro: are you a human? Germaine: Yes, I am. How can I help you? pedro: i want to submit a bug report for Windows Server 2008 R2 DNS server pedro: it has a flaw Germaine: You have 2 options: Germaine: Either you submit it through our Microsoft Technet Forums or Connect.microsoft.com. pedro: connect.micro is not accepting bugs for 2008 pedro: and technet has nowhere to submit bugs either. already checked. pedro: unless it is out of the way.. I am a security researcher. I plan to disclose. Germaine: Let me check my resources. Germaine: Reporting a bug, Pedro, can be through U.S. Mail, Support Incident and Product Feedback Tool. Germaine: For U.S Mail, mail your report to Attn: Development Group , Microsoft Corporation, One Microsoft Way, Redmond, WA 98052. Germaine: To use Support Incident, if you have a subscription with technical benefits, you may submit a case and our Support Professional will take a look at it. Germaine: For Product Feedback Tool, you may visi Windows Server 2008 R2 Product Support page and provide a feedback. Germaine: You may reach our Support professional by following this link: Germaine: Submit an Incident - Online Assisted Support pedro: i do not have a subscription, sorry. Germaine: Well, you can do the other two options: U.S. Mail & Product Feedback Tool. pedro: I may have to just publish. I hate to see Windows DNS servers being used for DDoS attacks so easly, you know? With it being an easy fix and all. pedro: Thank you, Germaine. Germaine: You're welcome, Pedro. Germaine: If there's nothing else, I will close this session now. Germaine: Thank you for using Microsoft Customer Service chat. Germaine: Have a good one, Pedro! ---------------------- I read all of the responses to this thread so far and I appreciate all your opinions. After the chat with MS rep, I feel like disclosing. For one, the bug is not a huge deal, just annoying that your server can be used to help in DDoS someone so easily, and two, MS did not seem interested in bugs for last gen products. ________________________________ Date: Sat, 14 Dec 2013 02:52:33 +0000 Subject: Re: [Full-disclosure] <b>Where are you guys standing re: the (full) disclosure question?</b> From: dieyu@...yu.org To: guninski@...inski.com CC: peter_toyota@...mail.com; full-disclosure@...ts.grok.org.uk Q: 1. should I tell MS first? A: Microsoft is just a big company - there are good guys(my good friend was there), and there are bad guys(who think too much about money, etc). So, it's up to you whether you email secure@ms. Another factor: it can take months for a bug to be fixed(first MSRC checks it, then product team fixes it, then release - all steps take a lot of time). Guninski "give them a few seconds" - if you want to work with Microsoft, you got to be a little patient. Q: 2. being this is possibly my first bug as a researcher, will this get me into trouble (legal or otherwise)? A: No, publishing before fix will not get you into trouble. Guninski "if they sue you" - they won't sue you(Guninski did it before on Microsoft products, and he is fine). Q: 3. will this make me a rock star? A: Ah, this depends on the impact. __________ http://offlinechromeinstaller.com/ On Fri, Dec 13, 2013 at 3:08 PM, Georgi Guninski <guninski@...inski.com> wrote: On Thu, Dec 12, 2013 at 10:02:55PM -0400, Pedro Luis Karrasquillo wrote: > Humans, Dwarves, Elves, Fairies and all free folk on this list: > > Meli Kalikimaka. > > I think I found a relatively small bug with Windows Server running DNS with recursion turned off, that still allows the server to be used for DDOS amplification attacks. There are a sizable number of these on the net, and I do not think operators realize that the server is not totally silent with recursion turned off. > I want to put my findings here on the list, as well as on my blog but I am unsure if : > > 1. should I tell MS first? if you ask me definitely no. or at most give them a few seconds. > 2. being this is possibly my first bug as a researcher, will this get me into trouble (legal or otherwise)? if they sue you, I suppose this will make you a star for some time. IANAL, so take care. > 3. will this make me a rock star? > > I have details on the bug, as well as remediation steps. I would not say I "discovered" it per se, as I found it while studying an attack on a network I protect, but I do not see it documented anywhere either. > > What say you, Wise List Readers? > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists