Bugtraq mailing list archives
RE: Correction to latest Colsaire advisories
From: "David Litchfield" <davidl () ngssoftware com>
Date: Wed, 15 Sep 2004 16:42:39 +0100
The Corsaire research project produced test cases for around 200 working attack vectors, that when passed through the top 10 content products produced over 800 individual vulnerabilities (needless to point out that there are a lot more than 10 products in this arena).
Not wanting to quibble, but looking for clarification: The associated UNIRAS advisory (http://www.uniras.gov.uk/vuls/2004/380375/mime.htm) lists the responses from various vendors with regards to these issues. I presume that these are nine of the "top 10 content providers". Vendors include: Apple, F-Secure, Fujitsu, HP, IBM, MessageLabs, Mozilla and ripMIME. Only ripMIME and F-Secure (Server products affected, workstation products fine) claim to have been found wanting. The remainder clearly state that their products, when put through the test suite, were _not_ found to be vulnerable. How does this translate to the figures you're talking about? I ask this to better understand the risk. Is this something everything else should be dropped for and this prioritized? From the UNIRAS advisory I'd assume not, unless of course you use F-secure servers or ripMIME, and, at the moment, it all seems a bit like a storm in a teacup. I also note that Microsoft was not listed as a vendor that responded. Were their products tested and if so what were the results? Cheers, David Litchfield NGSSoftware Ltd http://www.nextgenss.com/ http://www.databasesecurity.com/ +44(0)1334 470 027
Current thread:
- Correction to latest Colsaire advisories 3APA3A (Sep 14)
- Re: Correction to latest Colsaire advisories Andreas Marx (Sep 15)
- <Possible follow-ups>
- Re: Correction to latest Colsaire advisories advisories (Sep 15)
- RE: Correction to latest Colsaire advisories David Litchfield (Sep 16)
- RE: Correction to latest Colsaire advisories advisories (Sep 16)
- RE: Correction to latest Colsaire advisories advisories (Sep 25)