Re: Fwd: Information on MS99-022

From: Marc (Marcat_private)
Date: Sat Jul 03 1999 - 15:39:28 PDT

Next message: Vanja Hrustic: "Re: Fwd: Information on MS99-022"

Previous message: aleph1at_private: "ISSalert: ISS Security Advisory: Bad Permissions on Passwords"
Maybe in reply to: Vanja Hrustic: "Fwd: Information on MS99-022"
Next in thread: Vanja Hrustic: "Re: Fwd: Information on MS99-022"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am glad this thread is now on bugtraq since Russ Cooper filters my posts
to NTBugtraq.

People should not have to pay for "full disclosure" of MS advisories.
However, it probably does not surprise most that MS would hook up with
another company to do such a thing.

Also, it seems that MS thinks it is a "safe idea" to just give the full
details to the ICSA so that way the wrong people do not get full details
about it. However, as was pointed out by someone on NTBugtraq, there are
always a few bad eggs that will leak out the information. So why make it a
pain in the ass for the security community to get full details when the
details will get out any way. Either do not give any details to anyone or
give them to everyone.

We at eEye are hopefully going to start "re-releasing" Microsoft's
advisories with full details. We however are hard pressed for time around
here so if anyone wants to help out to figure out all the details about
future MS advisories and write demonstration code etc, drop me an eMail.

Signed,
Marc
eEye Digital Security Team
http://www.eEye.com



-----Original Message-----
From: Vanja Hrustic <vanjaat_private>
To: BUGTRAQat_private <BUGTRAQat_private>
Date: Saturday, July 03, 1999 9:40 PM
Subject: Fwd: Information on MS99-022


|I haven't seen this on the Bugtraq, but it's very interesting...
|
|--
|>Wanted to advise that we are making information available regarding the
|>technical details involved in the "Double Byte Code Page" vulnerability
|>(http://www.microsoft.com/security/bulletins/ms99-022.asp).  We've
provided
|>a full description to the ICSA, for dissemination within their Intrusion
|>Detection Consortium.  This will allow security vendors to have access to
|>the information that they need to develop scanning tools that will check
for
|>this attack.  However, we are not planning to do a general release of the
|>information.  If you are running IIS 3.0 or 4.0 on a server whose default
|>language is set to Chinese, Japanese, or Korean, you should apply the
patch.
|>
|>Cheers,
|>
|>Secureat_private
|--
|
|So, if I have my custom-developed IDS running, I won't be able to implement
|a pattern for this, because I am not a member of 'Intrusion Detection
|Consortium'?
|
|Note the words...
|
|"This will allow security vendors to have access to the information..." -
|why only security vendors? What better they are than Bugtraq folks?
|
|"Security through obscurity" comes to mind...
|
|Vanja
|

Next message: Vanja Hrustic: "Re: Fwd: Information on MS99-022"
Previous message: aleph1at_private: "ISSalert: ISS Security Advisory: Bad Permissions on Passwords"
Maybe in reply to: Vanja Hrustic: "Fwd: Information on MS99-022"
Next in thread: Vanja Hrustic: "Re: Fwd: Information on MS99-022"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:28 PDT