Re: Win2k Telnet.exe malicious server vulnerability

[monti <monti () USHOST COM>]

I dont want to start a lengthy debate, but I feel that I should respond
here and state for the record what my stance is.

I believe strongly in cooperating and coordinating with vendors on
security holes and doing everything possible to help them resolve a fix
without resorting to full disclosure and public exploit code (at least
until after the patch). However, it is not the responsibility of a third
party to chide and hold the hand of a negligent vendor. My time is
expensive. I have already gone to great lengths to provide you with
technical details and proof-of-concept. The code was written because I
had the time and inclination to prove a theory. Your own problems with
internal politics or agendas that prevent you from delivering a timely fix
are your own. That said, keeping the vulnerability researcher in the
loop on progress is a good way to put them at ease.

What you do not mention in your rant about me is that I requested that you
keep me in the loop and inform me when/how you would fix this problem and
I tried to give you the sense that I'd even be willing to help further if
necessary. I did not receive any email from microsoft after that time
either.

It sounds like you were willing to do this with @Stake but not me... well
thank you... should I use a non-alphanumeric character in my name next
time? Had I been treated with the same respect and participation you have
extended them, I wouldnt have been left wondering whether to release this
or not. This isnt the first time i've dealt with Micrsoft and my existing
impression of your communication skills is not a good one. If you are
indeed trying to fix this, I am glad to hear it.

As for my reasons in posting the message...

I have had more and more clients of my own moving to Windows 2000 and what
I did was definitely in their interest. This hole, as you yourself are
indicating, is known to many parties performing their own independent
research. Not all of them would have made this disclosure publicly or
to you. They may have exploited it quietly until it was found in the
wild. This is the risk that is present while users wait for a fix.

Please do not demonize me for my actions. It is MS's design that has led
to this problem. One, I might add, that MS has made before and failed to
learn from. And it would have been very easy for you to post a public
workaround

I have no reputation, (well at least not a good one) and was not motivated
in that regard. As I said before, this is a known problem to several
people, keeping it quiet (me, MS, @stake, and anyone else) was further
endangering our common clients.

All, this said, the bug really isnt all that terribly interesting anyway.
I was more interested in sharing my NTLM research with others. So, I may
have had a personal motivation, but it wasnt to glorify myself as a
'criminal hacker' as you seem to imply.

-Eric Monti


On Thu, 14 Sep 2000, Microsoft Security Response Center wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> Weld Pond and Dildog of @Stake Inc. reported this vulnerability to
> Microsoft August 1st and have been working with Microsoft since that
> time to develop a patch and an advisory.  Their commitment to vendor
> notification, responsible reporting and the protection of customer's
> assets with respect to this and other investigations has been beyond
> reproach.
>
> Microsoft has developed and @Stake has tested a patch for this
> vulnerability.  The patch is undergoing final packaging and should be
> ready for release as a security bulletin by end of the day Thursday,
> September 14.  The security bulletin will be posted to the
> Microsoft.com/security web site, will be sent to members of the
> Microsoft Security Notification Mailing list, and will be submitted
> to various security-related mailing lists.  The patch will be hosted
> on the Microsoft download center - the URL will be included as part
> of the security bulletin.
>
> With regard to "Monti's" post on this topic:
>
> Monti contacted Microsoft on August 7th with details of this
> vulnerability. Monti informed us that he was planning to release the
> vulnerability to Bugtraq (with exploit code) and would proceed with
> his plan should he fail to hear back from Microsoft within one week's
> time.  He also stated that he would postpone his release if Microsoft
> provided reasonable explanation for needing additional time to
> provide a patch.  Nowhere in his email did he mention a three-week
> timeframe as he claims in his advisory.
>
> Microsoft responded to Monti on August 7th, thanked him for his
> email, and informed him that we had received this issue from another
> party and had already opened an investigation.  We stated we would
> keep him in the loop with regards to patch availability, provided him
> with a tracking number, and encouraged him to contact us should he
> have any questions on the investigation.
>
> Monti replied on August 8th, asking for an ETA on a patch.  We
> responded to Monti on August 8th, stating: " I don't have an ETA at
> the moment -- we only learned of the issue last week, and we do need
> to make sure we've done our due diligence and understand the solution
> thoroughly.  It's a slower process than we'd like, but when you
> consider the millions of customers' machines that are affected by any
> change we make, it's pretty clear that we need to be very careful
> about our engineering and testing.  I'll definitely keep you in the
> loop as we go forward, though, and please feel free to ping me as
> needed for status information.  Sound OK?"
>
> We never heard back from Monti.
>
> Microsoft remains committed to protecting its customers.  We answer
> every inquiry sent to Secure () Microsoft com.  Each person submitting a
> vulnerability report to Microsoft is given a tracking number and is
> encouraged to contact us anytime they'd like to discuss the
> investigation.  Most individuals are willing to work us within this
> framework.  Others, as Monti has demonstrated, are more concerned
> about building their own reputation (and unnecessarily putting users
> at risk) than they are about checking with us on the status of an
> investigation.
>
> In closing, we applaud the relationship we've had with @Stake on this
> and prior Microsoft security investigations.  Their respect for
> protecting our mutual customers is something that should be emulated
> by all individuals involved in the vulnerability reporting and
> disclosure process.
>
> Regards,
>
> Eric Schultze
> Security Program Manager
> Microsoft Security Response Center
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.3
>
> iQEVAwUBOcCbl40ZSRQxA/UrAQG+DQf/UkiQdE3R8D2aulpOfpPi24b0GyCU3k5u
> +le/ToFqDyAPX3iPBhMbGJDMV+TuZGIOPY5ps4dAnSFFYxJuu/gyXTaWuMu8h5dW
> y0ePbc9zy677DlLddR7NnM0IEglhi/C2qwQS7+Au6/1Hc6MgzEoJ9h3IvGrAVazB
> hU/nyNhg6gxJSeCSqQWcgEbynJ7hW+CbnT+Z/8oEZs/JhS58CGg3ItKZwGzPf1xY
> Oq1elhMy4xHtg4vHcC/URRQ5Pa4XmQbvlHn+ufUcOWzZNA3ezcC3dN9dd0dpFCJC
> nrRjhbufAb9FBcD0xBvaWTUQETNKj3OiiM3GKEW1/sOrynxWt3qFaQ==
> =EYE0
> -----END PGP SIGNATURE-----