I am also sick of seeing vendors downplay issues by calling them "potential" or "denial of service".
as an example... http://archives.neohapsis.com/archives/tru64/2002-q3/0019.html
heres me *potentially exploiting the issue*
bash-2.05a$ id uid=201(dotslash) gid=15(users) groups=0(system) bash-2.05a$ ./TRU64_su # id uid=0(root) gid=15(users) groups=15(users),0(system)
or http://xforce.iss.net/xforce/xfdb/7157 and http://www.blacksheepnetworks.com/security/hack/linux/squid.c
What part of me taking a root shell as a local user is a potential issue... and what part of me taking remote uid nobody intails a Denial of service attack... yeah the abuser may have crashed the service while trying to exploit the issue but that hardly qualifies denial of service as the impact of the bug.
As a side note the three letter company I spoke about earlier today has since gone above and beyond at attemting to rectify the communications problem we had earlier. Thanks to those of you that helped out.
-KF
[EMAIL PROTECTED] wrote:
While there is some argument about what makes a vendor un-responsive,
patch
times in this case are, likely and understandably, quite lengthy. These
fixes are not trivial to begin with, thanks in no small part to the
incredible number of customers Microsoft has. As if the literally millions
of configurations Microsoft software must support weren't enough, think
for
a second about the multiple different character sets its code applies
to.
Even the *DOCUMENTATION* for the patch must be translated into dozens
of
different languages -- no small task with exploitation looming on the
horizon. However, it is obvious that in this case, the reporter did
not
attempt any contact with Microsoft what-so-ever.
/////////
This is not my problem. I DON'T CARE!
That's your company and you do with it as you see fit. Whether you want to make 1 million versions of your product in order to grab every possible market share, so be it.
You'd better be damn sure that what you make works otherwise if you throw it out there and it breaks, some one has to pay.
Why not make one quality product instead of hundreds of flawed ones?
That's right! It's your company and you do with it as you see fit!
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
