Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Fwd: Information on MS99-022
From: Marc () EEYE COM (Marc)
Date: Sat, 3 Jul 1999 22:39:28 -0000

I am glad this thread is now on bugtraq since Russ Cooper filters my posts
to NTBugtraq.

People should not have to pay for "full disclosure" of MS advisories.
However, it probably does not surprise most that MS would hook up with
another company to do such a thing.

Also, it seems that MS thinks it is a "safe idea" to just give the full
details to the ICSA so that way the wrong people do not get full details
about it. However, as was pointed out by someone on NTBugtraq, there are
always a few bad eggs that will leak out the information. So why make it a
pain in the ass for the security community to get full details when the
details will get out any way. Either do not give any details to anyone or
give them to everyone.

We at eEye are hopefully going to start "re-releasing" Microsoft's
advisories with full details. We however are hard pressed for time around
here so if anyone wants to help out to figure out all the details about
future MS advisories and write demonstration code etc, drop me an eMail.

eEye Digital Security Team

-----Original Message-----
From: Vanja Hrustic <vanja () SIAMRELAY COM>
Date: Saturday, July 03, 1999 9:40 PM
Subject: Fwd: Information on MS99-022

|I haven't seen this on the Bugtraq, but it's very interesting...
|>Wanted to advise that we are making information available regarding the
|>technical details involved in the "Double Byte Code Page" vulnerability
|>(http://www.microsoft.com/security/bulletins/ms99-022.asp).  We've
|>a full description to the ICSA, for dissemination within their Intrusion
|>Detection Consortium.  This will allow security vendors to have access to
|>the information that they need to develop scanning tools that will check
|>this attack.  However, we are not planning to do a general release of the
|>information.  If you are running IIS 3.0 or 4.0 on a server whose default
|>language is set to Chinese, Japanese, or Korean, you should apply the
|>Secure () microsoft com
|So, if I have my custom-developed IDS running, I won't be able to implement
|a pattern for this, because I am not a member of 'Intrusion Detection
|Note the words...
|"This will allow security vendors to have access to the information..." -
|why only security vendors? What better they are than Bugtraq folks?
|"Security through obscurity" comes to mind...

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]