Re: [Full-Disclosure] Re: Full Disclosure != Exploit Release

From: Blue Boar (BlueBoar@thievco.com)
Date: 01/29/03

  • Next message: Richard M. Smith: "RE: [Full-Disclosure] [Secure Network Operations, Inc.] Full Disclosure != Exploit Release" 
    From: Blue Boar <BlueBoar@thievco.com>
To: Paul Schmehl <pauls@utdallas.edu>
Date: Wed, 29 Jan 2003 13:20:16 -0800

    Paul Schmehl wrote:
    > I've read this mantra over and over again in these discussions, and a
    > question occurs to me. Can anyone provide a *documented* case where a
    > vendor refused to produce a patch **having been properly notified of a
    > vulnerability** until exploit code was released?

    It might not meet your exact criteria, but here's one I recall:

    On Win9x, if you share out a printer, it creates a printer$ share which
    points to your system directory (read-only, of course.) The purpose is so
    that other Win9x boxes can auto-download drivers when they connect to the
    share. It was pointed out to Microsoft that there is potentially all kinds
    of interesting info that can be had by an attacker. Microsoft decided it
    wasn't important to fix.

    A bit after this was under public discussion, I attended the first
    NTBugtraq conference/party thingy. A couple of the Microsoft security guys
    were there, and we got to discussing it. I asked if they planned to fix
    it, they said no. They said there's nothing exploitable. I pointed out
    that I could go through the system directory and determine things like
    exact patch levels, software installed, etc... They said they didn't think
    it was important enough. The fix would have been to create another
    directory for printer drivers, and share that out instead.

    The MS security guys basically said that if someone could demonstrate a
    significant problem, they'd take another look at it. In other words, show
    them an exploit, or they wouldn't fix it. Everyone knew it was risky, and
    just waiting for someone to come up with an interesting use for the hole.
      It was never patched (AFAIK), and that was several years ago.

                                            BB

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    Relevant Pages

    • Re: [Full-disclosure] Office 0day
      ... more and continue consulting for microsoft rather than criminal networks. ... to fix the product if it is flawed. ... That is like me trying to argue that after going to a car mechanic, ... "Members of the jury, by keeping quiet about the bug and not shipping a patch, ...
      (Full-Disclosure)
    • Re: spooler not starting
      ... If it still fails to run then maybe the hotfix is ... in that case you will have to call Microsoft for the fix. ... Lexmark tech support to download and install the fix. ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Microsoft, please, a solution for the STB!!!!!!!
      ... Your statements of impact will be where I push for a fix but I ... and have had no response from Microsoft or from anyone that might be ... MCE 2005 really is an excellent product so far and i would love to ... learn/repeat these codes? ...
      (microsoft.public.windows.mediacenter)
    • Re: Microsoft, please, a solution for the STB!!!!!!!
      ... Your statements of impact will be where I push for a fix but I can't ... > It not just Terry with this concern (Hi Terry! ... > and have had no response from Microsoft or from anyone that might be able ... > learn/repeat these codes? ...
      (microsoft.public.windows.mediacenter)
    • Document Imaging problem after applying Office 2003 sp3
      ... ' Name: MODI File Association Fix ... ' Author: Microsoft Customer Support Services ... After installing SP 3 for Office 2003, Microsoft Office Document Imaging is ...
      (microsoft.public.windowsupdate)