mailing list archives
Re: Win2k Telnet.exe malicious server vulnerability
From: monti <monti () USHOST COM>
Date: Thu, 14 Sep 2000 12:57:08 -0500
I dont want to start a lengthy debate, but I feel that I should respond
here and state for the record what my stance is.
I believe strongly in cooperating and coordinating with vendors on
security holes and doing everything possible to help them resolve a fix
without resorting to full disclosure and public exploit code (at least
until after the patch). However, it is not the responsibility of a third
party to chide and hold the hand of a negligent vendor. My time is
expensive. I have already gone to great lengths to provide you with
technical details and proof-of-concept. The code was written because I
had the time and inclination to prove a theory. Your own problems with
internal politics or agendas that prevent you from delivering a timely fix
are your own. That said, keeping the vulnerability researcher in the
loop on progress is a good way to put them at ease.
What you do not mention in your rant about me is that I requested that you
keep me in the loop and inform me when/how you would fix this problem and
I tried to give you the sense that I'd even be willing to help further if
necessary. I did not receive any email from microsoft after that time
It sounds like you were willing to do this with @Stake but not me... well
thank you... should I use a non-alphanumeric character in my name next
time? Had I been treated with the same respect and participation you have
extended them, I wouldnt have been left wondering whether to release this
or not. This isnt the first time i've dealt with Micrsoft and my existing
impression of your communication skills is not a good one. If you are
indeed trying to fix this, I am glad to hear it.
As for my reasons in posting the message...
I have had more and more clients of my own moving to Windows 2000 and what
I did was definitely in their interest. This hole, as you yourself are
indicating, is known to many parties performing their own independent
research. Not all of them would have made this disclosure publicly or
to you. They may have exploited it quietly until it was found in the
wild. This is the risk that is present while users wait for a fix.
Please do not demonize me for my actions. It is MS's design that has led
to this problem. One, I might add, that MS has made before and failed to
learn from. And it would have been very easy for you to post a public
I have no reputation, (well at least not a good one) and was not motivated
in that regard. As I said before, this is a known problem to several
people, keeping it quiet (me, MS, @stake, and anyone else) was further
endangering our common clients.
All, this said, the bug really isnt all that terribly interesting anyway.
I was more interested in sharing my NTLM research with others. So, I may
have had a personal motivation, but it wasnt to glorify myself as a
'criminal hacker' as you seem to imply.
On Thu, 14 Sep 2000, Microsoft Security Response Center wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Weld Pond and Dildog of @Stake Inc. reported this vulnerability to
Microsoft August 1st and have been working with Microsoft since that
time to develop a patch and an advisory. Their commitment to vendor
notification, responsible reporting and the protection of customer's
assets with respect to this and other investigations has been beyond
Microsoft has developed and @Stake has tested a patch for this
vulnerability. The patch is undergoing final packaging and should be
ready for release as a security bulletin by end of the day Thursday,
September 14. The security bulletin will be posted to the
Microsoft.com/security web site, will be sent to members of the
Microsoft Security Notification Mailing list, and will be submitted
to various security-related mailing lists. The patch will be hosted
on the Microsoft download center - the URL will be included as part
of the security bulletin.
With regard to "Monti's" post on this topic:
Monti contacted Microsoft on August 7th with details of this
vulnerability. Monti informed us that he was planning to release the
vulnerability to Bugtraq (with exploit code) and would proceed with
his plan should he fail to hear back from Microsoft within one week's
time. He also stated that he would postpone his release if Microsoft
provided reasonable explanation for needing additional time to
provide a patch. Nowhere in his email did he mention a three-week
timeframe as he claims in his advisory.
Microsoft responded to Monti on August 7th, thanked him for his
email, and informed him that we had received this issue from another
party and had already opened an investigation. We stated we would
keep him in the loop with regards to patch availability, provided him
with a tracking number, and encouraged him to contact us should he
have any questions on the investigation.
Monti replied on August 8th, asking for an ETA on a patch. We
responded to Monti on August 8th, stating: " I don't have an ETA at
the moment -- we only learned of the issue last week, and we do need
to make sure we've done our due diligence and understand the solution
thoroughly. It's a slower process than we'd like, but when you
consider the millions of customers' machines that are affected by any
change we make, it's pretty clear that we need to be very careful
about our engineering and testing. I'll definitely keep you in the
loop as we go forward, though, and please feel free to ping me as
needed for status information. Sound OK?"
We never heard back from Monti.
Microsoft remains committed to protecting its customers. We answer
every inquiry sent to Secure () Microsoft com Each person submitting a
vulnerability report to Microsoft is given a tracking number and is
encouraged to contact us anytime they'd like to discuss the
investigation. Most individuals are willing to work us within this
framework. Others, as Monti has demonstrated, are more concerned
about building their own reputation (and unnecessarily putting users
at risk) than they are about checking with us on the status of an
In closing, we applaud the relationship we've had with @Stake on this
and prior Microsoft security investigations. Their respect for
protecting our mutual customers is something that should be emulated
by all individuals involved in the vulnerability reporting and
Security Program Manager
Microsoft Security Response Center
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----