Bugtraq mailing list archives
Re: Win2k Telnet.exe malicious server vulnerability
From: monti <monti () USHOST COM>
Date: Thu, 14 Sep 2000 12:57:08 -0500
I dont want to start a lengthy debate, but I feel that I should respond here and state for the record what my stance is. I believe strongly in cooperating and coordinating with vendors on security holes and doing everything possible to help them resolve a fix without resorting to full disclosure and public exploit code (at least until after the patch). However, it is not the responsibility of a third party to chide and hold the hand of a negligent vendor. My time is expensive. I have already gone to great lengths to provide you with technical details and proof-of-concept. The code was written because I had the time and inclination to prove a theory. Your own problems with internal politics or agendas that prevent you from delivering a timely fix are your own. That said, keeping the vulnerability researcher in the loop on progress is a good way to put them at ease. What you do not mention in your rant about me is that I requested that you keep me in the loop and inform me when/how you would fix this problem and I tried to give you the sense that I'd even be willing to help further if necessary. I did not receive any email from microsoft after that time either. It sounds like you were willing to do this with @Stake but not me... well thank you... should I use a non-alphanumeric character in my name next time? Had I been treated with the same respect and participation you have extended them, I wouldnt have been left wondering whether to release this or not. This isnt the first time i've dealt with Micrsoft and my existing impression of your communication skills is not a good one. If you are indeed trying to fix this, I am glad to hear it. As for my reasons in posting the message... I have had more and more clients of my own moving to Windows 2000 and what I did was definitely in their interest. This hole, as you yourself are indicating, is known to many parties performing their own independent research. Not all of them would have made this disclosure publicly or to you. They may have exploited it quietly until it was found in the wild. This is the risk that is present while users wait for a fix. Please do not demonize me for my actions. It is MS's design that has led to this problem. One, I might add, that MS has made before and failed to learn from. And it would have been very easy for you to post a public workaround I have no reputation, (well at least not a good one) and was not motivated in that regard. As I said before, this is a known problem to several people, keeping it quiet (me, MS, @stake, and anyone else) was further endangering our common clients. All, this said, the bug really isnt all that terribly interesting anyway. I was more interested in sharing my NTLM research with others. So, I may have had a personal motivation, but it wasnt to glorify myself as a 'criminal hacker' as you seem to imply. -Eric Monti On Thu, 14 Sep 2000, Microsoft Security Response Center wrote:
-----BEGIN PGP SIGNED MESSAGE----- Weld Pond and Dildog of @Stake Inc. reported this vulnerability to Microsoft August 1st and have been working with Microsoft since that time to develop a patch and an advisory. Their commitment to vendor notification, responsible reporting and the protection of customer's assets with respect to this and other investigations has been beyond reproach. Microsoft has developed and @Stake has tested a patch for this vulnerability. The patch is undergoing final packaging and should be ready for release as a security bulletin by end of the day Thursday, September 14. The security bulletin will be posted to the Microsoft.com/security web site, will be sent to members of the Microsoft Security Notification Mailing list, and will be submitted to various security-related mailing lists. The patch will be hosted on the Microsoft download center - the URL will be included as part of the security bulletin. With regard to "Monti's" post on this topic: Monti contacted Microsoft on August 7th with details of this vulnerability. Monti informed us that he was planning to release the vulnerability to Bugtraq (with exploit code) and would proceed with his plan should he fail to hear back from Microsoft within one week's time. He also stated that he would postpone his release if Microsoft provided reasonable explanation for needing additional time to provide a patch. Nowhere in his email did he mention a three-week timeframe as he claims in his advisory. Microsoft responded to Monti on August 7th, thanked him for his email, and informed him that we had received this issue from another party and had already opened an investigation. We stated we would keep him in the loop with regards to patch availability, provided him with a tracking number, and encouraged him to contact us should he have any questions on the investigation. Monti replied on August 8th, asking for an ETA on a patch. We responded to Monti on August 8th, stating: " I don't have an ETA at the moment -- we only learned of the issue last week, and we do need to make sure we've done our due diligence and understand the solution thoroughly. It's a slower process than we'd like, but when you consider the millions of customers' machines that are affected by any change we make, it's pretty clear that we need to be very careful about our engineering and testing. I'll definitely keep you in the loop as we go forward, though, and please feel free to ping me as needed for status information. Sound OK?" We never heard back from Monti. Microsoft remains committed to protecting its customers. We answer every inquiry sent to Secure () Microsoft com. Each person submitting a vulnerability report to Microsoft is given a tracking number and is encouraged to contact us anytime they'd like to discuss the investigation. Most individuals are willing to work us within this framework. Others, as Monti has demonstrated, are more concerned about building their own reputation (and unnecessarily putting users at risk) than they are about checking with us on the status of an investigation. In closing, we applaud the relationship we've had with @Stake on this and prior Microsoft security investigations. Their respect for protecting our mutual customers is something that should be emulated by all individuals involved in the vulnerability reporting and disclosure process. Regards, Eric Schultze Security Program Manager Microsoft Security Response Center -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOcCbl40ZSRQxA/UrAQG+DQf/UkiQdE3R8D2aulpOfpPi24b0GyCU3k5u +le/ToFqDyAPX3iPBhMbGJDMV+TuZGIOPY5ps4dAnSFFYxJuu/gyXTaWuMu8h5dW y0ePbc9zy677DlLddR7NnM0IEglhi/C2qwQS7+Au6/1Hc6MgzEoJ9h3IvGrAVazB hU/nyNhg6gxJSeCSqQWcgEbynJ7hW+CbnT+Z/8oEZs/JhS58CGg3ItKZwGzPf1xY Oq1elhMy4xHtg4vHcC/URRQ5Pa4XmQbvlHn+ufUcOWzZNA3ezcC3dN9dd0dpFCJC nrRjhbufAb9FBcD0xBvaWTUQETNKj3OiiM3GKEW1/sOrynxWt3qFaQ== =EYE0 -----END PGP SIGNATURE-----
Current thread:
- Win2k Telnet.exe malicious server vulnerability monti (Sep 13)
- Re: Win2k Telnet.exe malicious server vulnerability Jim Paris (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Micah Webner (Sep 14)
- <Possible follow-ups>
- Re: Win2k Telnet.exe malicious server vulnerability Microsoft Security Response Center (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability monti (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Microsoft Security Response Center (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Tim Hollebeek (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Blue Boar (Sep 15)
- Re: Win2k Telnet.exe malicious server vulnerability Рягин Михаил Юрьевич (Sep 15)
- Re: Win2k Telnet.exe malicious server vulnerability Bronek Kozicki (Sep 17)
- Re: Win2k Telnet.exe malicious server vulnerability J Edgar Hoover (Sep 18)
- Re: Win2k Telnet.exe malicious server vulnerability Bronek Kozicki (Sep 17)