Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[Full-Disclosure] RE: Full-disclosure] Software Company Files Suit Over Vulnerability Disclosure
From: "Steve W. Manzuik" <steve () entrenchtech com>
Date: Sun, 29 Dec 2002 19:10:51 -0700

Surprising that this hits the press now.  I know another online news source
was looking at reporting on this quite some time ago and decided not to.
But, I do have a few comments on this one.

Autoprof published the following "whitepaper" -
http://www.autoprof.com/pdf/PM_Scriptlogic_Comparison.pdf that on page 8
outlines the following "security vulnerabilities"

"The first problem allows network users administrative access to the local
Windows registry. The second problem allows network users to become
administrators of all domain machines that have previously run the
ScriptLogic 4 RunAdmin client service. The third problem grants all users
(the "Everyone Group" by default) full access to a network-shared folder on
a ScriptLogic 4 domain controller."

All of these vulnerabilities are caused by one thing and one thing only --
poor permissions.  The fact that Autoprof feels that these issues are
serious enough to warrant a complete whitepaper on it is almost as ludicrous
as ScriptLogic invoking the lawyers and suing Autoprof.

What we have here are two vendors tossing their dicks on the table to see
who has the longest one.  Meanwhile they will waste money and time all while
passing the costs off to their end users (does anyone actually use either of
these products?).

For those who do feel that this is a serious issue here are some quick fixes
that are part of "Securing NT/2000 101"

Don't use the everyone group
Don't let services run as system unless required
Lock down file permissions as needed
Lock down registry permissions as needed
Monitor internal network traffic
Manage workstation builds

Seriously, if someone who is on your internal network wants to own you there
are far more serious and more effective things that they could do.  That
being said, Scriptlogic could easily fix these problems and make the whole
thing go away.  The hour of development timted  would take is far cheaper
than the lawyers.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • [Full-Disclosure] RE: Full-disclosure] Software Company Files Suit Over Vulnerability Disclosure Steve W. Manzuik (Dec 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]