RE: [Full-Disclosure] Microsoft and Security

From: Burnes, James (james.burnes_at_gwl.com)
Date: 06/25/04

  • Next message: mmo_at_remote-exploit.org: "[Full-Disclosure] New Auditor security collection announcement"
    To: <1@malware.com>, <bugtraq@securityfocus.com>
    Date: Fri, 25 Jun 2004 15:38:56 -0600
    
    

    One word,

    m-o-n-o-p-o-l-y

    And what are you going to do about it, punk?

    > -----Original Message-----
    > From: full-disclosure-admin@lists.netsys.com [mailto:full-disclosure-
    > admin@lists.netsys.com] On Behalf Of http-equiv@excite.com
    > Sent: Friday, June 25, 2004 10:02 AM
    > To: bugtraq@securityfocus.com
    > Cc: NTBugtraq@listserv.ntbugtraq.com; full-disclosure@lists.netsys.com
    > Subject: [Full-Disclosure] Microsoft and Security
    >
    >
    >
    > Where is Microsoft now "protecting their customers" as they love
    > to bray? Should not someone in authority of this public company
    > step forward and explain themselves at this time?
    >
    > All of sudden panic is being created across the WWW with "IIS
    > Exploit Infecting Web Site Visitors With Malware", "Mysterious
    > Attack Hits Web Servers", "Researchers warn of infectious Web
    > sites" all stemming from all news accounts from an
    > unpatched "problem" with Internet Explorer now two weeks old and
    > counting, which in fact in reality stems from 10 months ago,
    > that being the adodb.stream safe for scripting control with
    > write capabilities.
    >
    > What exactly is being done about this? Nothing. What does
    > multiple billions of dollars buy you today. Nothing. However for
    > $20 million you can almost fly to the moon.
    >
    > Someone ought to step forward and explaini what exactly is
    > happening at this public company. The great "protector of their
    > customers". One might even suggest that their entire "security"
    > mandate be re-examined. What exactly do they consider a
    > vulnerability? Something that suits them or something that's
    > cost effective to fix. So what, a few people lose their
    > identities, have a few dollars extracted from their bank
    > accounts, have their home pages reset, we'll fix it when it
    > suits us as we have to be on budget this quarter. The Big Boss
    > says $40 billion isn't enough this year.
    >
    > A vulnerability:
    >
    > http://www.microsoft.com/technet/archive/community/columns/securi
    > ty/essays/vulnrbl.mspx
    >
    > "A security vulnerability is a flaw in a product that makes it
    > infeasible - even when using the product properly-to prevent an
    > attacker from usurping privileges on the user's system,
    > regulating its operation, compromising data on it, or assuming
    > ungranted trust."
    >
    > what this gibberish? For the past 10 months the adobd.stream
    > object is capable of writing files to the "all important
    > customer's" computer. It has real world consequences. It rapes
    > their computer. Does it fit into the gibberish custom
    > definition. Plain and simple: "A security vulnerability is a
    > flaw in a product that makes it infeasible". What kind of
    > language is this. Reads like the financial department conjured
    > it up.
    >
    > Disabling scripting won't solve it. Putting sites in one of the
    > myriad of "zones' won't solve it. Internet Explorer can
    > trivially be fooled into operating in the less than secure so-
    > called "intranet zone" and it can be guided there remotely.
    >
    > What's happening here. Where is the Microsoft representative
    > explaining all of this to the shareholders and "customers" they
    > so dearly wish to protect. This is unacceptable. Someone must
    > be held accountable.
    >
    >
    > --
    > http://www.malware.com
    >
    >
    >
    >
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: mmo_at_remote-exploit.org: "[Full-Disclosure] New Auditor security collection announcement"

    Relevant Pages

    • SEC Consult SA-20120220-0 :: Multiple critical vulnerabilities in VOXTRONIC voxlog professio
      ... SEC Consult Vulnerability Lab Security Advisory ... The "get.php" functionality of the web interface of voxlog professional ... An attacker gains access to all stored sensitive voice recordings ... Weak default accounts for OS and web interface ...
      (Bugtraq)
    • [Full-disclosure] SEC Consult SA-20120220-0 :: Multiple critical vulnerabilities in VOXT
      ... SEC Consult Vulnerability Lab Security Advisory ... The "get.php" functionality of the web interface of voxlog professional ... An attacker gains access to all stored sensitive voice recordings ... Weak default accounts for OS and web interface ...
      (Full-Disclosure)
    • Tlen.PL e-mail XSS vulnerability.
      ... Tlen.PL e-mail system is affected to cross-site scripting vulnerability, not validating HTML tags in e-mail message subject. ... The vulnerable server is accessed by default with Tlen.pl IM client (by older accounts). ... which is the lenght an attacker can use to inject HTML. ...
      (Bugtraq)
    • Sitecom WLM-3500 backdoor accounts
      ... Advisory URL: http://blog.emaze.net/2013/04/sitecom-wlm-3500-backdoor-accounts.html ... We confirm the presence of the security vulnerability on the following ... These hard-coded accounts are persistently stored inside the device firmware ...
      (Bugtraq)
    • Re: spyware/malware and linux?
      ... > How vulnerable is Linux to spyware, malware, trojans, etc. compared to ... > much about linux security or vulnerability, ... a pristine browser setup. ... All browser accounts have bogas email addresses. ...
      (comp.os.linux.security)