[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Bill Gates blames the victim

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Bill Gates blames the victim
From: Paul Schmehl <pauls@xxxxxxxxxxxx>
Date: Sun, 31 Aug 2003 11:16:32 -0500

--On Sunday, August 31, 2003 12:31:03 -0300 pandora@xxxxxxxxxx wrote:


And what about the flaws MS probably found during the code audit and that
were never published? I would like to see MS releasing patches/fixes for
flaws they found during these audits. Or did they find none?

The only thing we know for certain is that they didn't find them all. That point has been driven home decisively by Blaster and Nachi.

During the launch of Windows XP, Microsoft announced that they had "eliminated" buffer overflows in Windows XP (using a commercial tool that they had purchased.) One month later eEye announced what I still believe to be the most devastating hole in Windows, the UPnP vulnerability. It hasn't been exploited like RPC DCOM has, but it's an even more serious vulnerabilty.

How many more are lying around waiting to be exploited? It's obvious that Microsoft doesn't know.

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Bill Gates blames the victim
  - From: Richard M. Smith
- Re: [Full-Disclosure] Bill Gates blames the victim
  - From: pandora

Prev by Date: [Full-Disclosure] Re: OpenBSD 3.2 Kthread Madness
Next by Date: Re: [Full-Disclosure] Authorities eye MSBlaster suspect
Previous by thread: Re: [Full-Disclosure] Bill Gates blames the victim
Next by thread: Re: [Full-Disclosure] Bill Gates blames the victim
Index(es):
- Date
- Thread