RE: Microsoft Vulnerabilities ARE being reported to Microsoft

From: ISNYC (admin_at_infosecnyc.com)
Date: 12/22/04

  • Next message: Harlan Carvey: "Re: services running in windows domain (winXP clients)" 
    To: "'Paul'" <paul@greyhats.cjb.net>, <focus-ms@securityfocus.com>
Date: Wed, 22 Dec 2004 15:01:05 -0500

    paul//

    Do you really care what MS thinks?
    My way of going around things....

    1. Find the bug
    2. Inform the software maker
    3. Release the bug/vulnerability and a proof of concept(POC/exploit) to a
    full disclosure list.

    Paul... If you can compromise SP2, lets see it. Release a POC.

    Take it from there.

    Happy Holidays Everyone-

    -----Original Message-----
    From: Paul [mailto:paul@greyhats.cjb.net]
    Sent: Monday, December 20, 2004 10:29 PM
    To: focus-ms@securityfocus.com
    Subject: Microsoft Vulnerabilities ARE being reported to Microsoft

    If you came here looking for a vulnerability, you will be dissapointed,
    because this is simply a message. Contrary to popular opinion, I do disclose
    my vulnerabilities to Microsoft before release. They do not resond to any of
    my emails so I assumed they either 1) didn't care, or 2) were taking
    considerable action to patch these vulnerabilities. The Microsoft statement
    that I do not disclose the vulnerabilities to them is untrue and is probably
    just an attempt by Microsoft to make me look bad because of their own
    incompetence. I will continue to work towards a secure operating system
    because that is what we security professionals strive to accomplish.

    PS: Microsoft, I have found a way to compromise SP2 by writing a file to
    anywhere on the victim's computer without user interaction. As always, I
    will email you with the details of the vulnerability.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Harlan Carvey: "Re: services running in windows domain (winXP clients)"

    Relevant Pages

    • Re: Call to arms - INFORMATION ANARCHY
      ... > If Microsoft would simply offer cash rewards to vulnerability discoverers, ... > conditioned on the discoverer promising to never disclose to a third party, ... > vulnerabilities and 100 B type vulnerabilities are found, ...
      (NT-Bugtraq)
    • SecurityFocus Microsoft Newsletter #305
      ... Microsoft Office security, part one ... Microsoft Internet Explorer Multiple COM Object Color Property Denial of Service Vulnerabilities ... An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #306
      ... Microsoft Office security, part two ... Microsoft Internet Explorer COM Object Instantiation Daxctle.OCX Heap Buffer Overflow vulnerability. ... Cybozu Garoon Multiple SQL Injection Vulnerabilities ...
      (Focus-Microsoft)
    • Re: Cost of the M$ monopoly-$10BIllion/year.
      ... >> I don't really care how Microsoft does their internal financials. ... Dell simply kicks everyone's butt in efficiency. ... If Apple was to capture 10% of the market (a pipe dream ...
      (comp.sys.mac.advocacy)
    • Re: [Full-disclosure] Microsofts Real Test with Vista is Vulnerabilities
      ... So if they can earn more from the subscription based security solution where is the incentive to make the OS more secure? ... I am far from a Microsoft marketing expert... ... Microsoft's Real Test with Vista is Vulnerabilities ...
      (Full-Disclosure)