Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability
From: Matthew Murphy (mattmurphykc.rr.com)
Date: Wed Dec 14 2005 - 20:10:53 CST
-----BEGIN PGP SIGNED MESSAGE-----
> We don't disagree with you. The vulnerability lies in the Microsoft
> Foundation Classes (MFC) static libraries. Trend Micro also acknowledges
> this in their response. Unfortunately, Trend Micro's product
> distributions are vulnerable since they ship with the old static libraries.
> Michael Sutton
> Director, iDefense Labs
That's all well-and-good. I see two problems with this, only one of
which deals with iDefense:
1. iDefense was sloppy about fact-checking and crediting prior reports.
If it surfaces that a vulnerability is a rediscovery of an unfixed
issue from a prior report, at least mention the prior report.
Particularly when you're buying/selling this as original research, it
makes iDefense look bad.
2. I'm betting that the reason why nobody at Trend paid more attention
than they did is because of the horrendous misdocumentation of the
service pack's fixes by Microsoft. The only thing that has to do with
your report is that it makes the rediscovery of the issue more blatant.
It seems my post has been taken as more hostile toward iDefense than was
intended. I'll say now that the majority of the blame for the fact this
was rediscovered in the first place lies squarely with Microsoft for its
spectacularly bad job of managing this vulnerability. Had Microsoft
taken the initiative to actually inform customers that a hole existed
when it released Service Pack 6 for Visual Studio 6.0 (or chosen a more
effective delivery vehicle), I have no doubt that a company the size of
Trend would have been much less likely to be caught off guard.
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."
-- Michael Holstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature