Next Page >>
limited disclosure
Timeline:
***********
April 30th 2009: Contacted Vendor
April 30th 2009: Vendor reaction
April 30th 2009: Vendor commits fix
May 28th 2009: Full Disclosure
References:
***********
http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589
-----Original Message-----
From: Larry Seltzer [mailto:larry@larryseltzer.com]
Sent: Wednesday, September 16, 2009 5:03 PM
To: Susan Bradley; Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because they've got 4+ years of Extended Support Period
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because they've got 4+ years of Extended Support Period
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because they've got 4+ years of Extended Support Period
>>>
>>> -----Original Message-----
>>> From: Larry Seltzer [mailto:larry@larryseltzer.com] Sent: Wednesday,
>>> September 16, 2009 5:03 PM
>>> To: Susan Bradley; Thor (Hammer of God)
>>> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Yes, they used the bulletin to soft-pedal the description, but at the
>>> same time I think they send a message about XP users being on shaky
>>> ground. Just because they've got 4+ years of Extended Support Period
larry_seltzer@ziffdavis.com
http://blogs.pcmag.com/securitywatch/
-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
This tool can be used, in example, to search for similar "crapwares" or to search for similar image files (not similar looking, but similar files), similar office documents, etc...
--- El mar, 5/1/10, T Biehn <tbiehn@gmail.com> escribi:
> De: T Biehn <tbiehn@gmail.com>
> Asunto: Re: [Full-disclosure] [Tool] DeepToad 1.1.0
> Para: "Dan Kaminsky" <dan@doxpara.com>
> CC: "Joxean Koret" <joxeankoret@yahoo.es>, "Full Disclosure" <full-disclosure@lists.grok.org.uk>, bugtraq@securityfocus.com
> Fecha: martes, 5 de enero, 2010 15:56
> I can see what you're saying, it
> could be useful for finding
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 8:21 AM
> To: Thor (Hammer of God); Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> I agree that the FAQ explanation in the advisory is vague about what
> protection the firewall provides. One clue I would infer about it is
> that they rated this a "Low" threat. If it were vulnerable in the
>
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> It's XP. Running in RDP mode. It's got IE6, and wants antivirus. Of
>> course it's vulnerable to any and all gobs of stuff out there. But
>> it's
> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
> Sent: Wednesday, September 16, 2009 10:16 AM
> To: Thor (Hammer of God)
> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> It's XP. Running in RDP mode. It's got IE6, and wants antivirus. Of
> course it's vulnerable to any and all gobs of stuff out there. But
> it's
Glenn Everhart
-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk]On Behalf Of Larry
Seltzer
Sent: Thursday, March 06, 2008 3:36 PM
To: Tim
Cc: Full Disclosure; Bugtraq
physical access as you can just take the drive out, boot from CD, etc...
t
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Larry Seltzer
> Sent: Friday, March 07, 2008 11:51 AM
> To: Bugtraq; Full Disclosure
> Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
>
larry_seltzer@ziffdavis.com
http://blogs.pcmag.com/securitywatch/
-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
(Hammer of God)
Sent: Wednesday, September 16, 2009 11:00 AM
To: Eric C. Lukens; bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk
I get the whole "XP code to too old to care" bit, but it seems odd to take that "old code" and re-market it around compatibility and re-distribute it with free downloads for Win7 while saying "we won't patch old code."
t
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, September 16, 2009 8:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> t
>
>
>> -----Original Message-----
>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, September 16, 2009 8:00 AM
>> To: Eric C. Lukens; bugtraq@securityfocus.com
>> Cc: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
The suggested solution is to not expose sensitive information (full paths) and
un-escaped user input in comments.
Vendor should also publish an e-mail address or other way to contact them with
such issues so that full-disclosure can be avoided before vendor notification.
Ongoing research into other products Woltlab GmbH produces is pending. Future
vulnerabilities will be posted to full disclosure as they are found unless the
vendor wishes to provide such contact info publicly.
> -----Original Message-----
> From: Tim [mailto:tim-security@sentinelchicken.org]
> Sent: Thursday, March 06, 2008 12:00 PM
> To: Larry Seltzer
> Cc: Full Disclosure; Bugtraq
> Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
>
> > What are the implications for firewire device compatibility of doing
> > this?
>
> Hello Susan!
>
> As I already wrote you and Adam earlier, every type of disclosure
> (including
> full disclosure and responsible full disclosure) can be good in
> appropriate
> situation. And I use that type of disclosure which is suitable for every
> particular case.
>
> Taking into account that 3 from 4 vendors answered me (except Microsoft)
-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of The
Security Community
Sent: Wednesday, December 12, 2007 3:32 PM
To: bugtraq@securityfocus.com; Full-Disclosure
Subject: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass
> they do not work when clicked from a normal
> local html.
>
> ----- Original Message -----
> From: "Thierry Zoller" <Thierry@Zoller.lu>
> To: <bugtraq@securityfocus.com>; <full-disclosure@lists.grok.org.uk>
> Sent: Saturday, October 06, 2007 8:06 AM
> Subject: Re: [Full-disclosure] URI handling woes in Acrobat Reader,
> Netscape,Miranda, Skype
>
>
-----Original Message-----
From: gjgowey@tmo.blackberry.net [mailto:gjgowey@tmo.blackberry.net]
Sent: Thursday, October 11, 2007 8:28 AM
To: pdp (architect); Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Not to step in to the middle of this, but I once worked for an employer with what I considered the best way of stopping attacks cold: a proxy server that prompted you for your credentials when you went to an external web site and gp settings that disabled the ability to save your username/password locally as well as tight settings on the systems to prevent pretty much anything from being installed or modified. So everytime you opened up a brand new session of ie and tried to access an external site you were prompted for your username/password. Somehow I doubt there's any malware around that is designed to survive in that type of an environment.
Geoff
3/ Default open guest user, noway to disable it
4/ It is impossible to disable SAMBA completely! This is a wireless
access point/router... I don't want this insecure storage feature.
Cc: Full Disclosure, Bugtraq
-----Original Message-----
From: Bernhard Mueller [mailto:research@sec-consult.com]
Sent: Wednesday, March 05, 2008 10:54 AM
To: Full Disclosure; Bugtraq
Subject: Firewire Attack on Windows Vista
Hello,
In the light of recent discussions about firewire / DMA hacks, we would like to throw in some of the results of our past research on this topic (done mainly by Peter Panholzer) in the form of a short whitepaper. In this paper, we demonstrate that the firewire unlock attack (as implemented in Adam Boileau´s winlockpwn) can be used against Windows Vista.
From: Remote
Severity: Extremely Critical
Impact:
Manipulation of data
Cross-Site Scripting
Type of Advisory: Full Disclosure
_________________
Software Description |
===============
WP Comment Remix adds a plethora of new options and features to
there on time.
4. The vuln hunters are getting more and more afraid of the legal
aspect of their jobs and are neutering their releases more and more
that by 2010 "Full Disclosure" will be about as revealing as a hole
filled with dirt. But the announcements will be juicier, more
enticing, and more exaggerated getting bigger headlines and bigger
sky-is-falling dance floor time. This of course will cause many people
who are neither lazy nor good security analysts a great deal of stress
and wasted resources reacting to the announcement. Maybe we'll see a
information for fear of retaliation. Other information included
specifics about how the issue was found. Gave CERT option to release
this information with weekly release along side this release. Gave
Meridian till December 11th to respond.
December 11th 2007 – No response from Meridian or CERT. Public
notified through BugTraq, Full Disclosure, and Prolog Support Forums.
***********
April 29th 2009: Contacted Vendor
April 30th 2009: Vendor reaction: "bogus"
April 30th 2009: Vendor corrects statement
May 3rd 2009: Patch released
May 3rd 2009: Full Disclosure
References:
***********
http://www.mybboard.net/
> -----Original Message-----
> From: Larry Seltzer [mailto:Larry@larryseltzer.com]
> Sent: Thursday, March 06, 2008 9:51 AM
> To: Peter Watkins; Roger A. Grimes
> Cc: Bernhard Mueller; Full Disclosure; Bugtraq
> Subject: RE: Firewire Attack on Windows Vista
>
> >>Roger, you should note that Adam's "Hit by a Bus" paper includes
> information about how Linux users can load their OS' Firewire driver
in
changed significantly since at least 2.2.0.
All versions of LedgerSMB lower than 1.2.0 are vulnerable. 1.2.0 is
the first version that is not vulnerable.
Original full disclosure email at:
http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0415.html
by another author.
I have not checked other offshoots.
If you (again, not you, but the industry) want to be able to criticize AU for being idiotic, then don't continually create an environment where the expectation is that the vendor will do every last bit of the thinking for the user, because you send the message that it is OK for .gov's to get in line after .com's draw it.
t
>-----Original Message-----
>From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-
>bounces@lists.grok.org.uk] On Behalf Of Paul Craig
>Sent: Tuesday, June 22, 2010 7:06 PM
>To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>Subject: [Full-disclosure] Microsoft Help Files (.CHM): 'Locked File' Feature
>Bypass
Next Page>>
|
