Text 5234, 161 rader
Skriven 2005-06-20 21:28:42 av Rich (1:379/45)
Kommentar till text 5231 av Geo (1:379/45)
Ärende: Re: Vulnerabilities vs. exploits
========================================
From: "Rich" <@>
This is a multi-part message in MIME format.
------=_NextPart_000_0190_01C575DF.085879A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I disagree and this is an example. The reporter claimed there were =
overflows even though the repro he provided and the one he describes in = his
PR demonstrates none. Who knows, maybe he knows a way to exploit = the bug
that he is keeping to himself to gain some advantage. I = disagree about a
correction too. There is no proof that he was not = keeping something to
himself for personal advantage. I very much doubt = it but then I have (or at
least had at the time I looked at it) an very = good understanding of exactly
what was going on and that understanding = is 100% consistent with the facts
from the reporter.
Really, this is nothing remarkable. The cause of a bug and the =
behavior that can be triggered by exploitation of a bug need have little = to
nothing to do with one another. If you really paid attention to the =
vulnerablities that are reported on the lists as you suggest, the = symptoms of
those vulnerabilities, and the exploits that can sometimes = be made of them
you would see that each of these can be very different. = In this example I
think the reporter did not understand what he saw = (i.e. the first two) and
asserted that he can exploit the corrupted = state to trigger an overflow
elsewhere unrelated to the original bug and = quite likely not a bug at all.
It doesn't matter. This may seem weird = to someone that doesn't understand
code in general or even the specific = code but it's not remarkable or in most
cases even interesting.
Rich
"Geo" <georger@nls.net> wrote in message news:42b7872a$1@w3.nls.net...
Microsoft doesn't publish security bulletins until they examine a =
reported vulnerability. It makes no sense that the official MS bulletin = would
say buffer overrun if it wasn't. Heck even if they found out later = that it
was a race condition I would think they would have corrected the = mistake,
they've corrected the alerts for less important stuff before.
Geo.
"Rich" <@> wrote in message news:42b77b11$1@w3.nls.net...
Not odd. I didn't analyze it until after I saw the public =
bulletin release and what the reporter claims in his PR was the scenario = that
generated overflows. I don't believe the reporter understands what = he saw or
if he did he kept that out of his PR and anything else I could = find, public
or private, on the topic. Unlike the reporter, I don't = issue press releases
or call reporters with what I find even if it could = be embarrassing to him.
But then I don't have a financial interest in = putting others at risk just to
try to make myself look good.
Rich
------=_NextPart_000_0190_01C575DF.085879A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2> I disagree and this is an=20
example. The reporter claimed there were overflows even though the =
repro=20
he provided and the one he describes in his PR demonstrates none. =
Who=20
knows, maybe he knows a way to exploit the bug that he is keeping to = himself
to=20
gain some advantage. I disagree about a correction =
too. There=20
is no proof that he was not keeping something to himself for personal=20
advantage. I very much doubt it but then I have (or at least had = at
the=20
time I looked at it) an very good understanding of exactly what was = going on
and=20
that understanding is 100% consistent with the facts from the=20
reporter.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> Really, this is nothing=20
remarkable. The cause of a bug and the behavior that can be = triggered
by=20
exploitation of a bug need have little to nothing to do with one =
another. =20
If you really paid attention to the vulnerablities that are reported on =
the=20
lists as you suggest, the symptoms of those vulnerabilities, and the =
exploits=20
that can sometimes be made of them you would see that each of these can = be
very=20
different. In this example I think the reporter did not understand = what
he=20
saw (i.e. the first two) and asserted that he can exploit the corrupted = state
to=20
trigger an overflow elsewhere unrelated to the original bug and quite = likely
not=20
a bug at all. It doesn't matter. This may seem weird to = someone
that=20
doesn't understand code in general or even the specific code but it's = not=20
remarkable or in most cases even interesting.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rich</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Geo" <<A =
href=3D"mailto:georger@nls.net">georger@nls.net</A>> wrote=20
in message <A=20
=
href=3D"news:42b7872a$1@w3.nls.net">news:42b7872a$1@w3.nls.net</A>...</DI=
V>
<DIV><FONT face=3DArial size=3D2>Microsoft doesn't publish security =
bulletins=20
until they examine a reported vulnerability. It makes no sense that =
the=20
official MS bulletin would say buffer overrun if it wasn't. Heck even =
if they=20
found out later that it was a race condition I would think they would =
have=20
corrected the mistake, they've corrected the alerts for less important =
stuff=20
before.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Geo.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Rich" <@> wrote in message <A=20
=
href=3D"news:42b77b11$1@w3.nls.net">news:42b77b11$1@w3.nls.net</A>...</DI=
V>
<DIV><FONT face=3DArial size=3D2> Not odd. I =
didn't analyze it=20
until after I saw the public bulletin release and what the reporter =
claims=20
in his PR was the scenario that generated overflows. I don't =
believe=20
the reporter understands what he saw or if he did he kept that out =
of his PR=20
and anything else I could find, public or private, on the =
topic. =20
Unlike the reporter, I don't issue press releases or call reporters =
with=20
what I find even if it could be embarrassing to him. But then =
I don't=20
have a financial interest in putting others at risk just to try to =
make=20
myself look good.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial=20
size=3D2>Rich</FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0190_01C575DF.085879A0--
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|