mailing list archives
Re: Windows Oday release
From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Wed, 13 Jun 2007 12:10:23 +0200
-----BEGIN PGP SIGNED MESSAGE-----
ge () linuxbox org wrote:
On 2007-06-13 02:58+0800, Thomas Lim wrote:
Dear all, this is not a 0day, it is a public release of a responsibly
Yes, indeed it *seems* so:
But, of course we can not be sure that the bug that was addressed by
this patch is actually the same one as presented in Thomas' post,
without analyzing the patch (or a patched system). If Thomas says it's a
0day, then maybe somebody should check it. Why would Thomas tell it's a
0day if it was already fixed?
Obviously I'm far from punishing anybody for publishing a 0day -- after
all the potential attack vector would have existed even if the 0day was
not made public.
What is funny however, is that Microsoft, the great supporter of
"responsible disclosure" actually is the main sponsor ("patron") of the
SyScan conference: http://syscan.org/ which is organized by Thomas.
Maybe it's a sign that Microsoft realized that free "responsible
disclosure" idea is a bit artificial? (at last!)
The time line is also interesting, BTW:
28th August 2006
Date reported to Microsoft:
19th March 2007
One (I guess some "responsible disclosure" purist) could ask why they
waited 6 months before reporting this vulnerability to the vendor? What
were they doing with this exploit for the whole 6 months?
Obviously I'm far from being a "security responsible" crusader and I
think that they had a full right to wait with reporting the bug to the
vendor (if the vendor was not their client) as long as they wanted and
that MS should be happy that they eventually decided to do that.
(Needles to say MS is grateful as we see in the bulletin).
What seems more interesting however, is why Thomas actually made the
discovery date public? After all, they could just wrote the "reported to
vendor" date, but they intentionally gave also the discovery date,
risking the possibility of potential accusations of being "not
Anyway congrats to mysterious Steven:
Vulnerability Research Lab
Interestingly, the MS bulletin credits Thomas Lim for the discovery and
not Steven, which may suggest that Steven is some sort of a program
(maybe another fuzzer) for bug hunting...
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/