Re: Windows Oday release

[Joanna Rutkowska <joanna () invisiblethings org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ge () linuxbox org wrote:
> On 2007-06-13 02:58+0800, Thomas Lim wrote:
> > dear all
>
> Dear all, this is not a 0day, it is a public release of a responsibly
> disclosed vulnerability.

Yes, indeed it *seems* so:
http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx

But, of course we can not be sure that the bug that was addressed by
this patch is actually the same one as presented in Thomas' post,
without analyzing the patch (or a patched system). If Thomas says it's a
0day, then maybe somebody should check it. Why would Thomas tell it's a
0day if it was already fixed?

Obviously I'm far from punishing anybody for publishing a 0day -- after
all the potential attack vector would have existed even if the 0day was
not made public.

What is funny however, is that Microsoft, the great supporter of
"responsible disclosure" actually is the main sponsor ("patron") of the
SyScan conference: http://syscan.org/ which is organized by Thomas.
Maybe it's a sign that Microsoft realized that free "responsible
disclosure" idea is a bit artificial? (at last!)

The time line is also interesting, BTW:

> > Discovery Date:
> > 28th August 2006
> >
> > Date reported to Microsoft:
> > 19th March 2007

One (I guess some "responsible disclosure" purist) could ask why they
waited 6 months before reporting this vulnerability to the vendor? What
were they doing with this exploit for the whole 6 months?

Obviously I'm far from being a "security responsible" crusader and I
think that they had a full right to wait with reporting the bug to the
vendor (if the vendor was not their client) as long as they wanted and
that MS should be happy that they eventually decided to do that.
(Needles to say MS is grateful as we see in the bulletin).

What seems more interesting however, is why Thomas actually made the
discovery date public? After all, they could just wrote the "reported to
vendor" date, but they intentionally gave also the discovery date,
risking the possibility of potential accusations of being "not
responsible"...

Anyway congrats to mysterious Steven:

> Discovered by:
> Steven
> Security Researcher
> Vulnerability Research Lab
> COSEINC

Interestingly, the MS bulletin credits Thomas Lim for the discovery and
not Steven, which may suggest that Steven is some sort of a program
(maybe another fuzzer) for bug hunting...

joanna.
-----BEGIN PGP SIGNATURE-----

iQEVAwUBRm/CjswG7MOLAMOlAQKt7Qf/cCKmRGZJcs467h4+/79X/luNdx+dRh10
pcx1PjqlbbPnonjney0+kYjSG7uvm7h0kntffP60am/JKceUk/M/Hgw0LUdWPCEL
2qCKPnOypZzE5YimJiUWrxy97pa+SInUyvoAJswHzu5v3TMLKZpJkqHj3M8PwsDz
xseh3ON+eDZ4L6XpUWxwUSgP2AlRxQ3/RQIwAbyVZAYPHgp3qKSMWmOxDDv6dWQr
7UJB4HozXiwgSTpI1vbuADC/nKCFbasoAmAo857nKtfjvgqAjgN3M9zc8YkuyT9h
wSFrK/GiN5hPAfhQBfpexPEO3521CABqAL16F6dax42fOYuBhvdACg==
=jETT
-----END PGP SIGNATURE-----