Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Win2k Telnet.exe malicious server vulnerability
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Thu, 14 Sep 2000 02:34:26 -0700


Weld Pond and Dildog of @Stake Inc. reported this vulnerability to
Microsoft August 1st and have been working with Microsoft since that
time to develop a patch and an advisory.  Their commitment to vendor
notification, responsible reporting and the protection of customer's
assets with respect to this and other investigations has been beyond

Microsoft has developed and @Stake has tested a patch for this
vulnerability.  The patch is undergoing final packaging and should be
ready for release as a security bulletin by end of the day Thursday,
September 14.  The security bulletin will be posted to the
Microsoft.com/security web site, will be sent to members of the
Microsoft Security Notification Mailing list, and will be submitted
to various security-related mailing lists.  The patch will be hosted
on the Microsoft download center - the URL will be included as part
of the security bulletin.

With regard to "Monti's" post on this topic:

Monti contacted Microsoft on August 7th with details of this
vulnerability. Monti informed us that he was planning to release the
vulnerability to Bugtraq (with exploit code) and would proceed with
his plan should he fail to hear back from Microsoft within one week's
time.  He also stated that he would postpone his release if Microsoft
provided reasonable explanation for needing additional time to
provide a patch.  Nowhere in his email did he mention a three-week
timeframe as he claims in his advisory.

Microsoft responded to Monti on August 7th, thanked him for his
email, and informed him that we had received this issue from another
party and had already opened an investigation.  We stated we would
keep him in the loop with regards to patch availability, provided him
with a tracking number, and encouraged him to contact us should he
have any questions on the investigation.

Monti replied on August 8th, asking for an ETA on a patch.  We
responded to Monti on August 8th, stating: " I don't have an ETA at
the moment -- we only learned of the issue last week, and we do need
to make sure we've done our due diligence and understand the solution
thoroughly.  It's a slower process than we'd like, but when you
consider the millions of customers' machines that are affected by any
change we make, it's pretty clear that we need to be very careful
about our engineering and testing.  I'll definitely keep you in the
loop as we go forward, though, and please feel free to ping me as
needed for status information.  Sound OK?"

We never heard back from Monti.

Microsoft remains committed to protecting its customers.  We answer
every inquiry sent to Secure () Microsoft com   Each person submitting a
vulnerability report to Microsoft is given a tracking number and is
encouraged to contact us anytime they'd like to discuss the
investigation.  Most individuals are willing to work us within this
framework.  Others, as Monti has demonstrated, are more concerned
about building their own reputation (and unnecessarily putting users
at risk) than they are about checking with us on the status of an

In closing, we applaud the relationship we've had with @Stake on this
and prior Microsoft security investigations.  Their respect for
protecting our mutual customers is something that should be emulated
by all individuals involved in the vulnerability reporting and
disclosure process.


Eric Schultze
Security Program Manager
Microsoft Security Response Center

Version: PGP Personal Privacy 6.5.3


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]