Re: Windows Oday release

---

• From: "Steven M. Christey" <coley@xxxxxxxxxxxxxxx>
• Date: Wed, 13 Jun 2007 13:03:36 -0400 (EDT)

---

Joanna Rutkowska said:

Dear all, this is not a 0day, it is a public release of a responsibly
disclosed vulnerability.

Yes, indeed it *seems* so:
http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx

The kinds of discrepancies you list are an almost daily occurrence with
many vendors. I can't begin to imagine how many sysadmins and even
security researchers make assumptions that link two separate issues just
because they happen to involve the same component.

Some sufficient correlators are:

- cross-references (CVE, Bugtraq ID, Secunia, OSVDB, etc.)

- claims by reliable parties (for some definition of "reliable") that the
vendor's advisory fixes issue X

- sufficient details in both vendor and researcher advisory WITH
ATTACK VECTORS ("buffer overflow in component X doesn't cut it")

- mutual credits and date-of-disclosure coordination

- private verification by vendor

Any one of these is usually enough.

Doing this correlation is one of the significant value-adds of refined
vulnerability information providers, by the way.

The time line is also interesting, BTW:

Disclosure timelines are some of the most entertaining and educational
reading in security advisories. There's now (finally) enough data for
somebody somewhere to do a quantitative study on reported timelines,
including typical vendor response times, and issues in the process. (If
someone wants to pursue this, feel free to contact me to bat ideas
around.)

A lot of researcher timelines show a delay between the original discovery
and vendor notification. In some cases, this can be due to additional
time required to prove that the discovery is exploitable in order to give
a more reliable report to the vendor, but that's not always the case.

- Steve

---

• Follow-Ups:
  • Re: Windows Oday release
    • From: ge

• Prev by Date: iDefense Security Advisory 06.13.07: Multiple Vendor libexif Integer Overflow Heap Corruption Vulnerability
• Next by Date: High risk vulnerability in OpenOffice RTF parser
• Previous by thread: Re: [Full-disclosure] Windows Oday release
• Next by thread: Re: Windows Oday release
• Index(es):
  • Date
  • Thread

---

Relevant Pages [NEWS] Wonderware SuiteLink Denial of Service Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Vendor Information, Solutions and Workarounds ... Core sends the advisory draft to Wonderware support team. ... (Securiteam) [NEWS] Vulnerability Issues in Implementations of the H.323 Protocol (Generic) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... discovered a number of implementation specific vulnerabilities in the ... The severity of these vulnerabilities varies by vendor. ... (Securiteam) Re: Malicious use of grc.com ... addressed or referenced in the advisory. ... So notifying the vendor in order to get a needed patch ... to monitor all "public settings". ... GeoCities - quick and easy web site hosting, ... (Vuln-Dev) [NT] w3wp DoS ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... 1/12/2006 - Vendor requested for additional info ... recv(conn_socket, szBuffer, 256, 0); ... (Securiteam) Vulnerability Disclosure Formats (was "Re: Funny article") ... Common Advisory Interchange Format ... Vendor Status: [was the vendor informed? ... vulnerability a short title, ... (Bugtraq)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)