-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ge@xxxxxxxxxxxx wrote: > On 2007-06-13 02:58+0800, Thomas Lim wrote: >> dear all > > Dear all, this is not a 0day, it is a public release of a responsibly > disclosed vulnerability. > Yes, indeed it *seems* so: http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx But, of course we can not be sure that the bug that was addressed by this patch is actually the same one as presented in Thomas' post, without analyzing the patch (or a patched system). If Thomas says it's a 0day, then maybe somebody should check it. Why would Thomas tell it's a 0day if it was already fixed? Obviously I'm far from punishing anybody for publishing a 0day -- after all the potential attack vector would have existed even if the 0day was not made public. What is funny however, is that Microsoft, the great supporter of "responsible disclosure" actually is the main sponsor ("patron") of the SyScan conference: http://syscan.org/ which is organized by Thomas. Maybe it's a sign that Microsoft realized that free "responsible disclosure" idea is a bit artificial? (at last!) The time line is also interesting, BTW: >> Discovery Date: >> 28th August 2006 >> >> Date reported to Microsoft: >> 19th March 2007 >> One (I guess some "responsible disclosure" purist) could ask why they waited 6 months before reporting this vulnerability to the vendor? What were they doing with this exploit for the whole 6 months? Obviously I'm far from being a "security responsible" crusader and I think that they had a full right to wait with reporting the bug to the vendor (if the vendor was not their client) as long as they wanted and that MS should be happy that they eventually decided to do that. (Needles to say MS is grateful as we see in the bulletin). What seems more interesting however, is why Thomas actually made the discovery date public? After all, they could just wrote the "reported to vendor" date, but they intentionally gave also the discovery date, risking the possibility of potential accusations of being "not responsible"... Anyway congrats to mysterious Steven: > Discovered by: > Steven > Security Researcher > Vulnerability Research Lab > COSEINC Interestingly, the MS bulletin credits Thomas Lim for the discovery and not Steven, which may suggest that Steven is some sort of a program (maybe another fuzzer) for bug hunting... joanna. -----BEGIN PGP SIGNATURE----- iQEVAwUBRm/CjswG7MOLAMOlAQKt7Qf/cCKmRGZJcs467h4+/79X/luNdx+dRh10 pcx1PjqlbbPnonjney0+kYjSG7uvm7h0kntffP60am/JKceUk/M/Hgw0LUdWPCEL 2qCKPnOypZzE5YimJiUWrxy97pa+SInUyvoAJswHzu5v3TMLKZpJkqHj3M8PwsDz xseh3ON+eDZ4L6XpUWxwUSgP2AlRxQ3/RQIwAbyVZAYPHgp3qKSMWmOxDDv6dWQr 7UJB4HozXiwgSTpI1vbuADC/nKCFbasoAmAo857nKtfjvgqAjgN3M9zc8YkuyT9h wSFrK/GiN5hPAfhQBfpexPEO3521CABqAL16F6dax42fOYuBhvdACg== =jETT -----END PGP SIGNATURE-----
