Next Page >>
notifying
6. *Vendor Information, Solutions and Workarounds*
Novell has a planned release of iManager 2.7.4 in August 2010; this
release should fix these issues. The Novell team notifies they will
provide patches for the current vulnerable versions with the 2.7.3
ftf4 release before August, but this release was not confirmed yet
(see the timeline for more details). In the meantime, users can
mitigate these flaws by applying these countermeasures:
9. *Report Timeline*
. 2008-10-08:
Core Security Technologies notifies the Microsoft Security Response
Center (MSRC) that a vulnerability has been found in Internet Explorer
(IE). Core sends a draft security advisory with technical details and
PoC files and announces its initial plan to publish the advisory on
December 1st, 2008.
. 2011-05-05:
Core decides to release the advisory next Wednesday, May 11th; and
notifies the sequence of events that has motivated that decision:
. Oracle was notified of the vulnerability 5 month ago.
. Oracle released a fixed version of GlassFish (March 2011) without
notifying Core, without patching previous versions and without
publishing any workaround for affected users.
. Core has a workaround that mitigates the vulnerability.
9. *Report Timeline*
. 2010-01-04:
Core Security Technologies notifies the LANDesk team of the
vulnerability, setting the estimated publication date of the advisory
to January 25th 2010.
. 2010-01-05:
The LANDesk team asks Core for a technical description of the
9. *Report Timeline*
. 2009-01-09:
Core notifies the TightVNC team of the vulnerability.
. 2009-01-09:
Core notifies the UltraVNC team of the vulnerability.
. 2009-01-10:
Office killbit given that Core is investigating using that defense
mechanism as a workaround but MS10-036 points to a knowledge base
article that is no longer available
([http://support.microsoft.com/kb/983632]).
Core also notifies this advisory is currently scheduled to be published
on August 10, 2010 but the publication can be reviewed if Microsoft
responds with a firm commitment to a release date of fixes, and
technical information about the root cause of this vulnerability.
. 2010-08-04:
9. *Report Timeline*
. 2010-07-05:
Core Security Technologies notifies the Adobe team of the vulnerability
and announces its initial plan to publish the advisory on July 26th,
2010. A Proof of Concept (PoC) was sent to Adobe team.
. 2010-07-06:
Adobe team acknowledges Core Security Technologies' e-mail. Vendor also
9. *Report Timeline*
. 2009-09-01:
Core Security Technologies notifies the Hyperic team of the
vulnerability.
. 2009-09-02:
The Hyperic team asks Core for a technical description of the
vulnerability.
9. *Report Timeline*
. 2009-04-28:
Core Security Technologies notifies the Apple Product Security Team of
the vulnerability and announces its initial plan to publish the advisory
on May 20th, 2009. Technical details and Proof of Concept (PoC) are sent
to Apple Security Team.
. 2009-04-28:
on live sites. The vendor also states that it has no immediate plans to
support CitectSCADA on public networks but is investigating the
possibility of having a security audit of the product.
. 2008-03-25:
Core notifies the vendor the intention to release the advisory on March
26th given that the vendor has no immediate plans for fixing the
vulnerability.
. 2008-03-26:
Core consults under NDA with a process control security expert to obtain
. 2009-08-14:
Core Security Technologies sends technical details encrypted to HP SSRT.
. 2009-08-18:
HP SSRT informs Core that HP engineering have been notified and will
notify Core when they have a schedule estimate. SSRT assigned the IDs
SSRT090177 and SSRT090178 to the vulnerabilities reported by Core.
. 2009-08-27:
Core requests a status update from HP SSRT.
9. *Report Timeline*
. 2010-03-11:
Core Security Technologies notifies the eFront team of the vulnerability.
. 2010-03-12:
The eFront team asks Core for a technical description of the
vulnerability.
9. *Report Timeline*
. 2009-04-20:
Core Security Technologies notifies the StoneTrip team of
the vulnerability and announces its initial plan to publish the content
on May 18th, 2009.
. 2009-04-21:
The vendor asks Core for a technical description of the
9. *Report Timeline*
. 2010-10-18:
Core Security Technologies notifies the LANDesk team of the
vulnerability, setting the estimated publication date of the advisory to
November 9th 2010.
. 2010-10-19:
The LANDesk team acknowledges Core Security Technologies' e-mail and
. 2011-01-17:
The Zoho team acknowledges reception of advisory draft and asks a
contact phone number to discuss these flaws.
. 2011-01-17:
The Core team notifies its preference for keeping the whole
communication process through email, in order to track all interactions,
and involve all those interested in:
1. the Core Security Advisories Team,
2. the Zoho team and,
In Open Source scripts, we analysed the code to find out about the
safeguards in
place; the closed source scripts vB and WBB* were not analysed on the
source-code
level.
We notified all vendors on April 30th. Vendors, who had not replied,
were notified
again on May 7th with a clear note about our intention to publish the results
after four weeks.
provided: 1. Yes, client-side fixes are included in Maint. Releases of
Lotus Notes, Fix Packs are server-based. The bugs reported by core are on
the client. 2. Target dates for maintenance releases provided (end of
2007, March 2008, 2009). 3. Still can’t confirm if the fix will be
included and to what extent. Autonomy indicated that will ship a fix in
version 10.3 which is shipping soon. Core was not notified of the planned
release of similar client-side security fixes in the maintenance release
to preserve confidentiality with other vulnerability reporters. Likewise
Lotus Notes did not notify the others of Core’s similar report. Three
versions of the Lotus Notes client are addressed by Core’s report. Also a
partial chronology of the report timeline was provided.
DEFINITELY consult an attorney before doing anything else.
Once you decide to move forward, I have a few words of advice:
1. Do not disclose any aspect of the vulnerability to ANYONE until
you have formally notified the leadership of the company
(The company will provide you with disclosure guidelines after
they have been formally notified)
2. Research the state and federal statues related to the protection
of personal information and breach notification
(Take special notice if you fall under special regulations like
cross_fuzz may be known to third parties - which makes getting this tool
out a priority. ***
== VENDOR RESPONSE / STATUS ==
* Internet Explorer: MSRC notified in July 2010. Fuzzer observed to trigger
several exploitable crashes - e.g.:
http://lcamtuf.coredump.cx/cross_fuzz/msie_crash.txt
...ad well as some security-relevant GDI corruption issues.
CREDITS:
StenoPlasma (at) ExploitDevelopment.com
TIMELINE:
Discovery: December 16, 2008
Vendor Notified: May 6, 2010 (No response from vendor)
Vendor Notified Attempt 2: May 10, 2010 (No response from vendor)
Vendor Notified Attempt 3: May 19, 2010 (No response from vendor)
Vendor Fixed: N/A
Vendor Notified of Disclosure: N/A
Disclosure to CERT: December 2, 2010
2010-11-06: Taddong contacts HTC again asking for the latest details or updates regarding the issue. The goal was to offer HTC an opportunity to step in prior to the public release, even delaying the previously set deadline (of Nov, 4), trying to be extremely responsible.
2010-11-08: HTC replies back informing Taddong that currently they are still analyzing it and will issue a notification on their website once they have reached a conclusion.
2010-11-21: Taddong informs HTC that plans to release the vulnerability to the public on Monday, December 6, 2010, and encourage them to contact us during the remaining two week period, as the best option would be having a fix/update ready in order to offer a solution to end users.
2010-11-22: HTC informs Taddong that the engineering department is investigating and finding a solution for this issue.
2010-12-01: Taddong asks HTC about the availability of (or future plans to get) a CVE ID for this issue prior to the final public disclosure, trying to coordinate both parties.
2010-12-02: HTC confirms the engineering department has been notified about the CVE proposal and will get back with a response (three months since the original notification).
2010-12-11: Due to the lack of a response, Taddong finally requests one (or two; this is left up to MITRE) CVE ID(s) to MITRE. The CVE ID request process is the reason for a new delay in the second proposed deadline for the public disclosure (Dec, 6).
2010-12-15: Taddong tries to confirm if the CVE ID request has been received by MITRE without success. Taddong never got a response from MITRE about the CVE ID request.
2010-12-16: HTC provides a hotfix for testing to Taddong (named "LEO_S01175").
2010-12-17: Taddong replies back confirming that the hotfix solves the Basic authentication issue, as OAuth is the only authentication method used after applying the hotfix. However, still HTC Peep discloses the user credentials in the initial OAuth exchange through HTTP. Taddong suggests to use HTTPS for the whole Twitter session as the right solution (that would also solve other session-based attacks) and asks for the details of a future release.
2010-12-20: HTC confirms the suggested solutions have been notified to the engineering department, and that the fix is available for several models. Taddong requests details of the affected models.
9. *Report Timeline*
. 2010-04-06:
Core Security Technologies notifies the CactuShop team two
vulnerabilities in their software, a XSS vulnerability and a
SQL-Injection vulnerability. April 19th, 2010, is proposed as a
release date.
. 2010-04-07:
9. *Report Timeline*
. 2009-06-04:
Core Security Technologies notifies the WordPress team of the
vulnerabilities (security@wordpress.org) and offers a technical
description encrypted or in plain-text. Advisory is planned for
publication on June 22th.
. 2009-06-08:
• September 10, 2008 - CFP opens. Game on!
• November 1, 2008 - Papers for preferential first round
consideration due
• December 1, 2008 - Final due date for all papers
• January 1, 2008 - All speakers notified
Submissions are due by December 1, 2008. Early selection speakers will
be notified by November 31, 2008. All other speakers will be notified
by the date specified above. We look forward to receiving your
submissions as well as seeing you at ShmooCon 2009!
logged-in to the application.
======================================================================
6) Time Table
24/02/2010 - Vendor of QSF Portal and PowerDNS Administrator notified.
04/03/2010 - Vendor of QSF Portal and PowerDNS Administrator notified
again.
10/03/2010 - Vendor of Quicksilver Forums notified.
12/03/2010 - Vendor of Quicksilver Forums responds.
17/03/2010 - Public disclosure.
Apply patches released by the vendor.
======================================================================
6) Time Table
24/10/2007 - Vendor notified.
24/10/2007 - Vendor response.
21/11/2007 - Status update requested.
21/11/2007 - Vendor responds that development is working on patches.
07/04/2008 - Status update requested.
08/04/2008 - Vendor notifies expected release in May 2008.
Affected Versions: 3.7.3 (older versions are probably also vulnerable)
Fixed Versions: 3.7.3 after applying vendor patch
Vulnerability Type: Code Execution
Security Risk: medium
Vendor URL: http://www.papoo.de
Vendor Status: notified, fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2009-005
Advisory Status: published
CVE: TBA
CVE URL: TBA
the maintainer have been ignored.
March 31st, 2009: Using the contents of the packaged AUTHORS
file, Brad Fitzpatrick and Anatoly Vorobey
were notified via e-mail.
April 7th, 2009: After receiving no reply from the official
maintainers, a request to contact any
acting maintainer(s) was made to the memcached
mailing list at <http://groups.google.com/ \
Do not use the database backup functionality.
======================================================================
6) Time Table
24/02/2010 - Vendor of QSF Portal and PowerDNS Administrator notified.
04/03/2010 - Vendor of QSF Portal and PowerDNS Administrator notified
again.
10/03/2010 - Vendor of Quicksilver Forums notified.
12/03/2010 - Vendor of Quicksilver Forums responds.
17/03/2010 - Public disclosure.
existing backup files.
======================================================================
6) Time Table
24/02/2010 - Vendor of QSF Portal and PowerDNS Administrator notified.
04/03/2010 - Vendor of QSF Portal and PowerDNS Administrator notified
again.
10/03/2010 - Vendor of Quicksilver Forums notified.
12/03/2010 - Vendor of Quicksilver Forums responds.
17/03/2010 - Public disclosure.
Next Page>>
|
