Ohh. So you're the type to keep things in the closet.
Well.. I disagree.
He/Paul is complaining that MS is not responding to his bug reports.
(typical)
He/We are not attacking MS.
Were trying to help them, but they don't not want to help themselves. There
is countless 0days for MS that have been reported, without a patch. (cough
** eeye ** cough)
So whats worse, you tell me?
1. Keep the bug in the closet, let a blackhat self discover it and exploit
it, And spread it in the private 0day world, and just let blackhats hack
away at the bug. Compromising thousands, possible millions of pcs/server.
Or
2. Report the bug to the software vendor, then expose the bug on a full
disclosure list for everyone to read and see. Make it public. Then
users/admins can decide how to protect themselves and the compaines they
work for.
Ever hear the expression .. What you cant see Can Hurt you.
Take Care-
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: Wednesday, December 22, 2004 4:26 PM
To: ISNYC
Cc: 'Paul'
Subject: Re: Microsoft Vulnerabilities ARE being reported to Microsoft
Let's not folks.
Do you folks have any idea of what impact you have on the world when you
guys pull stuff like this? Forget hurting Microsoft... you hurt my
communities down here.
ISNYC wrote:
paul//
Do you really care what MS thinks?
My way of going around things....
1. Find the bug
2. Inform the software maker
3. Release the bug/vulnerability and a proof of concept(POC/exploit) to
a full disclosure list.
Paul... If you can compromise SP2, lets see it. Release a POC.
Take it from there.
Happy Holidays Everyone-
-----Original Message-----
From: Paul [mailto:paul@greyhats.cjb.net]
Sent: Monday, December 20, 2004 10:29 PM
To: focus-ms@securityfocus.com
Subject: Microsoft Vulnerabilities ARE being reported to Microsoft
If you came here looking for a vulnerability, you will be dissapointed,
because this is simply a message. Contrary to popular opinion, I do
disclose my vulnerabilities to Microsoft before release. They do not
resond to any of my emails so I assumed they either 1) didn't care, or
2) were taking considerable action to patch these vulnerabilities. The
Microsoft statement that I do not disclose the vulnerabilities to them
is untrue and is probably just an attempt by Microsoft to make me look
bad because of their own incompetence. I will continue to work towards
a secure operating system because that is what we security
professionals strive to accomplish.
PS: Microsoft, I have found a way to compromise SP2 by writing a file
to anywhere on the victim's computer without user interaction. As
always, I will email you with the details of the vulnerability.
-----------------------------------------------------------------------
----
-----------------------------------------------------------------------
----
-----------------------------------------------------------------------
----
-----------------------------------------------------------------------
----
--
An open letter to the Security Community::
http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
---------------------------------------------------------------------------
---------------------------------------------------------------------------
