Re: Microsoft Cries Wolf ( again )

[KF <dotslash () snosoft com>]

It only takes 30 seconds to type an email saying.... hey thanks for 
taking the time to let us know... we will get back to you. The no call 
no show's (not replying to security related emails) are BS for lack of 
better word. Not even acknowledging an issue is a far cry from trying to 
work out a fix. Alot of vendors can't even do that without you yanking a 
few teeth out.

I am also sick of seeing vendors downplay issues by calling them 
"potential" or "denial of service".  

as an example... 
http://archives.neohapsis.com/archives/tru64/2002-q3/0019.html

heres me *potentially exploiting the issue*

bash-2.05a$ id
uid=201(dotslash) gid=15(users) groups=0(system)
bash-2.05a$ ./TRU64_su
# id
uid=0(root) gid=15(users) groups=15(users),0(system)

or http://xforce.iss.net/xforce/xfdb/7157
and
http://www.blacksheepnetworks.com/security/hack/linux/squid.c

What part of me taking a root shell as a local user is a potential 
issue... and what part of me taking remote uid nobody intails a Denial 
of service attack... yeah the abuser may have crashed the service while 
trying to exploit the issue but that hardly qualifies denial of service 
as the impact of the bug.

As a side note the three letter company I spoke about earlier today has 
since gone above and beyond at attemting to rectify the communications 
problem we had earlier. Thanks to those of you that helped out.
-KF


dhtml () hush com wrote:

> While there is some argument about what makes a vendor un-responsive,
>  patch
> times in this case are, likely and understandably, quite lengthy.  These
> fixes are not trivial to begin with, thanks in no small part to the
> incredible number of customers Microsoft has.  As if the literally 
> millions
> of configurations Microsoft software must support weren't enough, think
> for
> a second about the multiple different character sets its code applies
> to.
> Even the *DOCUMENTATION* for the patch must be translated into dozens
> of
> different languages -- no small task with exploitation looming on the
> horizon.  However, it is obvious that in this case, the reporter did
> not
> attempt any contact with Microsoft what-so-ever.
>
> /////////
>
> This is not my problem. I DON'T CARE!
>
> That's your company and you do with it as you see fit. Whether you want
> to make 1 million versions of your product in order to grab every possible
> market share, so be it.
>
> You'd better be damn sure that what you make works otherwise if you throw
> it out there and it breaks, some one has to pay.
>
> Why not make one quality product instead of hundreds of flawed ones?
>
> That's right! It's your company and you do with it as you see fit!


Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html