RE: Microsoft Vulnerabilities ARE being reported to Microsoft

From: ISNYC (admin_at_infosecnyc.com)
Date: 12/22/04

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Microsoft Vulnerabilities ARE being reported to Microsoft" 
    To: "'Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]'" <sbradcpa@pacbell.net>, <focus-ms@securityfocus.com>
Date: Wed, 22 Dec 2004 17:27:18 -0500

    Ohh. So you're the type to keep things in the closet.

    Well.. I disagree.

    He/Paul is complaining that MS is not responding to his bug reports.
    (typical)

    He/We are not attacking MS.

    Were trying to help them, but they don't not want to help themselves. There
    is countless 0days for MS that have been reported, without a patch. (cough
    ** eeye ** cough)

    So whats worse, you tell me?

    1. Keep the bug in the closet, let a blackhat self discover it and exploit
    it, And spread it in the private 0day world, and just let blackhats hack
    away at the bug. Compromising thousands, possible millions of pcs/server.

    Or

    2. Report the bug to the software vendor, then expose the bug on a full
    disclosure list for everyone to read and see. Make it public. Then
    users/admins can decide how to protect themselves and the compaines they
    work for.

    Ever hear the expression .. What you cant see Can Hurt you.

    Take Care-

    -----Original Message-----
    From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    [mailto:sbradcpa@pacbell.net]
    Sent: Wednesday, December 22, 2004 4:26 PM
    To: ISNYC
    Cc: 'Paul'
    Subject: Re: Microsoft Vulnerabilities ARE being reported to Microsoft

    Let's not folks.

    Do you folks have any idea of what impact you have on the world when you
    guys pull stuff like this? Forget hurting Microsoft... you hurt my
    communities down here.

    ISNYC wrote:

    >paul//
    >
    >Do you really care what MS thinks?
    >My way of going around things....
    >
    >1. Find the bug
    >2. Inform the software maker
    >3. Release the bug/vulnerability and a proof of concept(POC/exploit) to
    >a full disclosure list.
    >
    >Paul... If you can compromise SP2, lets see it. Release a POC.
    >
    >Take it from there.
    >
    >Happy Holidays Everyone-
    >
    >
    >
    >-----Original Message-----
    >From: Paul [mailto:paul@greyhats.cjb.net]
    >Sent: Monday, December 20, 2004 10:29 PM
    >To: focus-ms@securityfocus.com
    >Subject: Microsoft Vulnerabilities ARE being reported to Microsoft
    >
    >
    >
    >
    >If you came here looking for a vulnerability, you will be dissapointed,
    >because this is simply a message. Contrary to popular opinion, I do
    >disclose my vulnerabilities to Microsoft before release. They do not
    >resond to any of my emails so I assumed they either 1) didn't care, or
    >2) were taking considerable action to patch these vulnerabilities. The
    >Microsoft statement that I do not disclose the vulnerabilities to them
    >is untrue and is probably just an attempt by Microsoft to make me look
    >bad because of their own incompetence. I will continue to work towards
    >a secure operating system because that is what we security
    >professionals strive to accomplish.
    >
    >PS: Microsoft, I have found a way to compromise SP2 by writing a file
    >to anywhere on the victim's computer without user interaction. As
    >always, I will email you with the details of the vulnerability.
    >
    >-----------------------------------------------------------------------
    >----
    >-----------------------------------------------------------------------
    >----
    >
    >
    >-----------------------------------------------------------------------
    >----
    >-----------------------------------------------------------------------
    >----
    >
    >
    >
    > 

    -- 
An open letter to the Security Community:: 
http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Microsoft Vulnerabilities ARE being reported to Microsoft"

    Relevant Pages

    • Making distinctions between similar-looking vulnerabilities
      ... string bug that was accidentally linked to an unrelated bug, ... occurs when reporting or investigating vulnerabilities. ... when a vendor reports that they fix problem "X," which is not ... Regular CVE users may wonder why CVE sometimes merges multiple bugs ...
      (Bugtraq)
    • [Full-disclosure] 6 Month Vista Vuln Report, Debunked
      ... The Microsoft "researcher" claims that Windows Vista is exponentially ... and Microsoft has not disclosed such vulnerabilities publicly. ... Everything" and went to town with vulnerability reports :-) ...
      (Full-Disclosure)
    • Re: Microsoft Vulnerabilities ARE being reported to Microsoft
      ... Patch testing takes TIME. ... How about instead of "helping" Microsoft, how about you come on over to ... Keep the bug in the closet, let a blackhat self discover it and exploit ... >>2) were taking considerable action to patch these vulnerabilities. ...
      (Focus-Microsoft)
    • Re: Reporting bugs to Mac BU?
      ... I just called MS to report a bug and was told the following: ... Mail the details of the bug to: Microsoft Corporation, ... Your reports are very valuable. ... >> there are several ways of reporting bugs or leaving feedback. ...
      (microsoft.public.mac.office)
    • Re: Is software assurance worth while?
      ... rather spend my time doing paid work than frequently downloading ... updates and filing QC bug reports. ... And yet you talk about how you're using Microsoft betas. ...
      (borland.public.delphi.non-technical)