Re: Complicated Disclosure Scenario

From: Bill Weiss (houdini@nmt.edu)
Date: 01/17/02

• Previous message: Raymond Vrolijk: "Re: [VulnWatch] CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor]"
• In reply to: Josha Bronson: "Complicated Disclosure Scenario"
• Next in thread: Martin.Farrelly@irishlife.ie: "FW: Complicated Disclosure Scenario"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 17 Jan 2002 08:57:21 -0700
From: Bill Weiss <houdini@nmt.edu>
To: vuln-dev@securityfocus.com

Josha Bronson(dmuz@slartibartfast.angrypacket.com)@Wed, Jan 16, 2002 at 07:01:24PM -0800:
> Greetings fellow security folk,
>
> I would like to gather some opinions on a not so theoretical disclosure
> scenario. Please for the sake of focused discussion keep your replies
> related to the specific scenario that I am proposing and not alternate
> opinions on disclosure in general.
>
> At this point I contacted the vendor to alert them to the existence of
> this problem. After exchanging multiple emails, in which I tediously
> outlined the DoS condition and *potential* exploit situation I was told
> that they would wait until I determined if code could be exploited
> before they began creating an advisory or even working on a patch.
>

Release an advisory. It's not your job to research the vulnerability.
The DoS works, and the exploit may work. I'd suggest releasing it as such,
and tracking down someone who runs the software and (with their permission!)
run the exploit. If it works, Re: it to the advisory.

Alternately, release it in here, so people can test it. You'll get proper
credit, and find out if the exploit works. If not, there's still a DoS in
it.

Though it's good of you to worry about the customers, it's the company's job
to keep their users safe of exploits. The response you got indicates that
this may not be their highest priority. Though I could hazzard some guesses
as to the company (*ahem*), I'll just leave it at "I'm glad I don't use their
software" (I hope).

-- Bill Weiss

---

• Previous message: Raymond Vrolijk: "Re: [VulnWatch] CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor]"
• In reply to: Josha Bronson: "Complicated Disclosure Scenario"
• Next in thread: Martin.Farrelly@irishlife.ie: "FW: Complicated Disclosure Scenario"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Article: The Origin of Life ... Orgel has added nothing positive to our understanding of life's ... If this seems harsh, well ..., you did ask for opinions. ... encompassing scenario of how life may have originated. ... bit about providing "a dose of chemical common sense". ... (talk.origins) Re: Taking back control of the flight computer ? ... >was talking about some black helicopter types taking planes to hit the WTC ... >people did think about that scenario. ... Expressed in this posting are my opinions. ... to opinions held by my employer, Sun Microsystems. ... (comp.arch) Re: Scientist explains global warming stopped a decade ago... ... the world towards a doomsday like scenario - the kind mankind has not ... opinions or articles, and then acts like he's an expert. ... (alt.sports.football.pro.ne-patriots) Re: Not condoning drink driving but the Police are wankers...... ... Can't back up your opinions. ... Maybe "this newsgroup may be a little too sophisticated for you"? ... >>Here's a scenario. ... Prev by Date: ... (uk.legal)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > vuln-dev  > 2002-01