Bugtraq mailing list archives
Re: Windows Oday release
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 13 Jun 2007 13:03:36 -0400 (EDT)
Joanna Rutkowska said:
Dear all, this is not a 0day, it is a public release of a responsibly disclosed vulnerability.Yes, indeed it *seems* so: http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx
The kinds of discrepancies you list are an almost daily occurrence with many vendors. I can't begin to imagine how many sysadmins and even security researchers make assumptions that link two separate issues just because they happen to involve the same component. Some sufficient correlators are: - cross-references (CVE, Bugtraq ID, Secunia, OSVDB, etc.) - claims by reliable parties (for some definition of "reliable") that the vendor's advisory fixes issue X - sufficient details in both vendor and researcher advisory WITH ATTACK VECTORS ("buffer overflow in component X doesn't cut it") - mutual credits and date-of-disclosure coordination - private verification by vendor Any one of these is usually enough. Doing this correlation is one of the significant value-adds of refined vulnerability information providers, by the way.
The time line is also interesting, BTW:
Disclosure timelines are some of the most entertaining and educational reading in security advisories. There's now (finally) enough data for somebody somewhere to do a quantitative study on reported timelines, including typical vendor response times, and issues in the process. (If someone wants to pursue this, feel free to contact me to bat ideas around.) A lot of researcher timelines show a delay between the original discovery and vendor notification. In some cases, this can be due to additional time required to prove that the discovery is exploitable in order to give a more reliable report to the vendor, but that's not always the case. - Steve
Current thread:
- Windows Oday release Thomas Lim (Jun 12)
- Re: Windows Oday release ge (Jun 12)
- Re: Windows Oday release Joanna Rutkowska (Jun 13)
- Re: [Full-disclosure] Windows Oday release Jared DeMott (Jun 14)
- Re: Windows Oday release Joanna Rutkowska (Jun 13)
- <Possible follow-ups>
- Re: Windows Oday release Steven M. Christey (Jun 13)
- Re: Windows Oday release ge (Jun 14)
- Re: Windows Oday release Hugo van der Kooij (Jun 19)
- Re: Windows Oday release ge (Jun 14)
- Re: Windows Oday release ge (Jun 12)