[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability
From: Matthew Murphy <mattmurphy@xxxxxxxxx>
Date: Wed, 14 Dec 2005 20:10:53 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

labs-no-reply@xxxxxxxxxxxx wrote:
> Matt,
> 
> We don't disagree with you. The vulnerability lies in the Microsoft
> Foundation Classes (MFC) static libraries. Trend Micro also acknowledges
> this in their response. Unfortunately, Trend Micro's product
> distributions are vulnerable since they ship with the old static libraries.
> 
> Michael Sutton
> Director, iDefense Labs

That's all well-and-good.  I see two problems with this, only one of
which deals with iDefense:

1. iDefense was sloppy about fact-checking and crediting prior reports.
 If it surfaces that a vulnerability is a rediscovery of an unfixed
issue from a prior report, at least mention the prior report.
Particularly when you're buying/selling this as original research, it
makes iDefense look bad.

2. I'm betting that the reason why nobody at Trend paid more attention
than they did is because of the horrendous misdocumentation of the
service pack's fixes by Microsoft.  The only thing that has to do with
your report is that it makes the rediscovery of the issue more blatant.

It seems my post has been taken as more hostile toward iDefense than was
intended.  I'll say now that the majority of the blame for the fact this
was rediscovered in the first place lies squarely with Microsoft for its
spectacularly bad job of managing this vulnerability.  Had Microsoft
taken the initiative to actually inform customers that a hole existed
when it released Service Pack 6 for Visual Studio 6.0 (or chosen a more
effective delivery vehicle), I have no doubt that a company the size of
Trend would have been much less likely to be caught off guard.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDoNCsfp4vUrVETTgRAxsHAJ45XwlzkUr1y1T+EceGK8DB9Ul1egCfSXIy
YdHjZR1Kgc//4JTWCJMsSqA=
=cX5b
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability
  - From: labs-no-reply@xxxxxxxxxxxx

Prev by Date: Re: [Full-disclosure] Famous n3td3v quotes - The Director's Cut
Next by Date: Re: [Full-disclosure] Famous n3td3v quotes - The Director's Cut
Previous by thread: Re: [Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability
Next by thread: [Full-disclosure] MDKSA-2005:227 - Updated ethereal packages fix vulnerability
Index(es):
- Date
- Thread