Full Disclosure mailing list archives
Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption
From: <macmanus () hushmail com>
Date: Wed, 11 Feb 2004 07:44:05 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bothered that you were giving people a road map to the exploit.
Here I was wondering why a security vendor would be increasing the risk model
Increasing the "risk model" by giving people more information? Are you kidding? Are you lost? On the wrong list maybe? by releasing details which will save the "bad guys" weeks
of research on the day of the patch release, giving the "good guys" even less time to regression test this patch in their environment andmitigate any harmful side effects. Seriously, I think as a firm in the security industry that toutsthemselves as an enterprise network protector you owe the community an explanation as to what value the information in these bulletins have.
If by that you mean the community owes them thanks for publishing these findings...
How many of your customers have been directly affected by worms which have spawned from information you have provided?
Your good guys/bad guys logic is very convincing... you're right clearly it is better keep it all a secret so no one knows the problems and no one can fix them or implement work arounds until these companies finally get around to issueing patches. Nothing in this bulletin helps me mitigate
this vulnerability, unless I am writing my own IDS rules
Wow! you are quick! With information like this you can write ids rules and firewall rules and all kinds of magic fixes.
I am all for full-disclosure, but that doesn't have to mean immediatedisclosure, understanding the potential harm in what you are doing and adjusting your ego boosting email release cycle to match it would do us all some good. Do I want you to stop releasing bulletins aboutvulnerabilities? No. Do I want you to wait to release academicallyvaluable research info which might help others either avoid creatingsuch flaws in their code or find such flaws that already exist? Yes.
You're very demanding, there Paul. Full disclosure, no. Partial disclosure when its already too late to do anything about it, yes. (Yeah that would be a great world.) Do this do that. How about you do something useful and quit whining when you end up having to do a little more work. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkAqTfIACgkQMqw+bEM+0IzoygCdHKgX7VC40za2fWmYiHtqwYruiwkA mwaP/zp/x5fR7NnKqm/SsrhXDQKk =0s4u -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Marc Maiffret (Feb 10)
- Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Paul Tinsley (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Geo. (Feb 11)
- Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Paul Tinsley (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Geo. (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Bill Royds (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Geo. (Feb 11)
- Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption Paul Tinsley (Feb 11)
- <Possible follow-ups>
- Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption macmanus (Feb 11)
- Re: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption bart2k (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption nick danger (Feb 11)