Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: WebEx Downloader Plug-in Multiple Vulnerabilities + rant

from [Web Ex] Network Security [Permanent Link]
Subject: RE: WebEx Downloader Plug-in Multiple Vulnerabilities + rant
Date: Sat, 8 Jul 2006 21:31:05 -0700 (PDT) 
*498 days to fix an arbitrary code vulnerability
*Silently fixing buffer overrun vulns without releasing an advisory 
(http://xforce.iss.net/xforce/alerts/id/226, in "Additional Information" 
section)
 
Hmph. Wow.
 
I wonder if they kill-bitted older versions >>>hehehe  ;-)
 
I ran across at least some of the same issues reported in early 2005 as well 
(didn't bother to report them though).  All I can say is swiss-cheese for the 
stuff I looked at, what's a better word when you spend 30 minutes looking at a 
product and come up with a half dozen or so high impact flaws.
 
________________________________________
From: Mark Litchfield
Sent: Friday, July 07, 2006 9:58 AM
To: bugtraq@securityfocus.com; vulnwatch@vulnwatch.org; sec-adv@secunia.com
Subject: WebEx Downloader Plug-in Multiple Vulnerabilities + rant
 
All these vulnerabilities were reported to WebEx by NGS Software back on the
24th February 2005 along with some other issues.
 
The current Director of the X-Force new about these issues as at the time of
their discovery, he worked with NGS.
 
Seeing as I'm the subject, here is another example whereby I found a bug (in
Skype) except Pentest-Limited were credited with it's discovery -
http://www.theregister.co.uk/2005/10/25/skype_vuln/  An extract from an
email below from Kurt Sauer (Security Operations / Skype Technologies),
shows that Mark Rowe of Pentest Ltd for some unknown reason had access to my
email sent to Kurt.
 
In reviewing our mail archives, I see that you *DID* report the vuln (the
VCARD aspect) to us -- to ME, directly -- before Mark Rowe did.  However, I
(gulp) mishandled the e-mail.
 
As you surmised, it appears that Mark Rowe read that mail and found another
instantiation of the same bug, namely the handling of the command-line
parameters.
 
Completely my fault on that.  It will take one "push" cycle (typically less
than a day) to get a correction posted, but I will both correct our
announcement and also redistribute it with corrected attribution.
 
I should have asked you to CC security@skype.net on the actual vuln report,
because mail sent to that address is read by more than just me.
 
Importantly, I am going to hire a dedicated incident manager (as fast as
our hiring practices will allow) so that there is someone spending full
workdays just handing inbound messages on this topic.

Could never be bothered before to make an issue of it.  But to sit on a
large number of flaws in a vendors software product for 498 days and see
other companies credited is a tad annoying :)
 
All the best
 
Mark Litchfield
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] ERNW Security Advisory 02/2006 - Buffer Overflow in sipXtapi (used in AOL Triton), Test Drive
Next by Date:  [Full-disclosure] Google PR Mechanism Possible Vulnerability, cumhur onat
Previous by Thread:  Re: WebEx Downloader Plug-in Multiple Vulnerabilities + rant, Mark Litchfield
Next by Thread:  [VulnWatch] TWiki Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336), Peter Thoeny
Indexes:  [Date] [Thread] [Top] [All Lists]