-----BEGIN PGP SIGNED MESSAGE----- Sent to NTBugtraq and Bugtraq. re: http://www.securityfocus.com/level2/?go=vulnerabilities&id=548 1. I incorrectly stated that it was password protected preventing the viewing of the code. The code is readily visible, the formatting of the spreadsheet sent me on a wild goose chase. My apologies. 2. Both spreadsheets (the SF-hosted spreadsheet and Juan's original spreadsheet) are called SHELL.XLS and contains a sheet called HOJA1. Juan Cuartango's spreadsheet contained two additional unused sheets. 3. The SF-hosted spreadsheet "Summary" properties, including author and company, are identical to Juan's original spreadsheet. 4. The commands performed by the two different spreadsheets are formatted identically, although they do different things (Juan's didn't invoke regedit, and relied on the presence of boot.ini instead of config.sys) Ergo, IMNSHO, they are the same, and the SF-hosted spreadsheet is a slightly modified copy of Juan's (as opposed to independent creation of an exploit or discovery of the vulnerability). As to where Brootfoceat_private got it, or who they are, doesn't matter, clearly Juan's spreadsheet leaked to someone other than people he intended it to (since he's now claiming its all confidential data). Apologies for the tone of my previous reply to Elias' post. NTBugtraq's policy is public (see http://ntbugtraq.ntadvice.com/policy.asp), and as Juan's message made clear, I have been sticking to the wishes of the discoverer (and abiding by my policy endorsed by NTBugtraq's subscribers). As to whether or not full and immediate disclosure is the best thing since sliced bread, clearly there are differing views, so be it. I do feel, however, that the Bugtraq Vulnerability Database should contain more information. The fact that there are no dates associated with the addition of the exploit code to the Bugtraq-ID record associated with Juan's original message can cause problems (when did the exploit code get added to the record?). That fact that nobody has mentioned the existence of the exploit code within the Bugtraq vdB caused my serious questions as to when it "was found in the wild". It amazes me that, according to Alfred Huger, the exploit was on the SF front page "for some time" and nobody seemed to notice or mention it anywhere. While there may well be many updates to the Bugtraq vdB hourly, something of this import shouldn't be missed by so many (inside and outside SF) for so long. According to my policy, had I been made aware of the fact that the exploit was *anywhere* in public things would have been done differently. Now that the exploit is available in public, I'll prepare my analysis and post it shortly. Hopefully MS will release the fix today and the threat can be minimized. Since there is already a demo page available (noted at top), I won't be preparing one. Cheers, Russ - NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQCVAwUBN7wwOhBh2Kw/l7p5AQGzPAP+IDyzSc3H8oTZZJuH4mUfPCNgBhfds5Hq bJXErPNJmXrl2wPjiNXVsbJOYv3Uvu0MT/TrsUhwwF9KuQNR2MNXSrflGoZ1vaTx 0fU/Lzcv11T0mtrsbVH2r0LeVczIkW2nnRLbv5YB7wv8wwPGN9iZOKejaK21F1xX GwKqy8HgYLo= =Fg45 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:28 PDT