Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? )
From: jamie fisher <contact_jamie_fisher () yahoo co uk>
Date: Mon, 8 Nov 2004 14:48:09 +0000 (GMT)

Can a company sue a person, for publishing irresponsible sec. ...
 
 Don't know; Internet law is still very unclear in so many areas.
 
I found a shitty security issue in CyberGuard Firewall/Proxy some time ago; they were pretty upset about it.  Went to 
the top as far as I understand it, to Paul Henry.
 
In any case, they asked me to issue a retraction statement saying the security issue was false.  I _did_ get the 
feeling the lawyers would come out of the woodwork but I ignored them and they finally went away.  I'd say it was a 
pretty close shave.
 
Below is the retraction statement they asked me to issue:

To Whom It May Concern: 

28 January 2004 

In reference to the vulnerability posting that I raised on Bugtraq on 18th December 2003, relating to CyberGuard 
firewall/VPN products, I now request that your site remove the entry as it has been proven to be false. 

CyberGuard have issued the following public statement: 

CyberGuard firewalls have zero vulnerabilities. Security Tracker agrees to remove erroneous 'vulnerability' message 
posting. 

After further investigation and research into the message posted to the Bugtraq security mailing list on December 18th, 
2003 and as reported on http://securitytracker.com/alerts/2003/Dec/1008526.html and other security web sites, 
CyberGuard has determined that the information in the post is indeed false. While the party failed to test and validate 
the above XSS hole as reported in the above post, we will shed further light on this supposed "vulnerability." 

The above poster assumes that a XSS hole would provide a miscreant to privileged user credentials by collecting 
password/username information from the browser information of a CyberGuard administrator desktop machine. CyberGuard 
uses Tarantella (a java applet) to administer a firewall via HTTPS - we DO NOT store user credentials in the browser. 
Consequently, there is no privileged data that can be compromised and no vulnerability whatsoever. " 

Security Tracker agrees with this assessment and will remove the report from its database. We are also working with 
other security sites that list Security Tracker reports to make sure the CyberGuard "vulnerability" is removed as soon 
as possible. 

I confirm that I now request that your site remove the entry as it has been proven to be incorrect. 

Please inform me when this action has been completed. 

Jamie Fisher 
For completeness, the XSS is as follows:
alert('test')http://domain.tld>
 
CyberGuard make decent firewalls; the manner in which they manage their response to security vulnerbilities is poor.


bipin gautam <visitbipin () yahoo com> wrote:
huh!
Reviewing all the latest IE advisories, i believe they
are in a way attacking M$. So that its coutomers are
forced to choose another browser... due to the
security risks involved.

I will rate it as a birth of "E" - GORILLA WAR
stratigy? (o; of the minorities.


Can a company sue a person, for publishing
irresponsible sec. advisories as such? No offence. I
just wanna know your views. Afterall, the haxor is
reverse engineering the software. I don't know if M$
will ever fire a case against such ppl. in future with
a propaganda, TO PROTECT ITS USERS?

have your say?

bipin gautam
--- Berend-Jan Wever wrote:

Hi all,

In response to statements found at

http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html
"Microsoft is concerned that this new report of a
vulnerability in
Internet Explorer was not disclosed responsibly,
potentially putting
computer users at risk," the company said in the
statement. "We believe
the commonly accepted practice of reporting
vulnerabilities directly to a
vendor serves everyone's best interests, by helping
to ensure that
customers receive comprehensive, high-quality
updates for security
vulnerabilities with no exposure to malicious
attackers while the patch
is being developed."

About "responsible disclosure":
The origional vulnerability was found and disclosed
by ned. As far as I
know, ned only knew he had found something that
crashed MSIE: a bug.
Microsofts concerns would suggest two options:
1) They expect everybody who finds a bug to
investigate the issue and act
according to the impact the problem might have on
security. I do not think
this is likely to happen unless everybody is
required to be a 1337
ubergeek before they are allowed to use MS software.
It's a nice goal to
aim for, but not very realistic.
2) You can not talk about your software crashing,
ever, unless it's to the
vendor: You might have stumbled upon a vulnerability
and if a malicous
attacker hears about it, he might use it.

About "commonly accepted practice of reporting
vulnerabilities directly to
a vendor":
When did they arrest all the black-hats ?

About "no exposure to malicious attackers while the
patch is being
developed":
Allthough I believe in responsible disclosure of
vulnerabilities, it DOES
NOT prevent malicious attackers to discover and
exploit the same
vulnerability while a patch is being developed.
Resonsible disclosure
decreases the chance of somebody hacking your system
while you are
vulnerable, it doesn't make it zero.

Anybody who understands basic bufferoverflow
techniques will be able to
write an exploit for this vulnerability. I did it in
a few minutes, so how
hard can it be ? I do not feel I disclosed anything
new, I just saved a
lot of people the trouble of writing it themselves.

The vulnerability has been rated "extremely
critical" since I released the
exploit. I say it was allready "extremely critical"
before ned disclosed
his information, only nobody knew it was there. It
was "extremely
critical" when ned did, but only a few could grasp
that. Then I explained
it was an easy to exploit bufferoverflow, it still
did not get much
attention.
Writing the exploit hasn't changed the flaw or it's
impact, it just
attracked the right amount of attention to the
problem.

Cheers,
SkyLined

_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.netsys.com/full-disclosure-charter.html





__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


                
---------------------------------
 ALL-NEW Yahoo! Messenger - all new features - even more fun!  

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]