OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Advisory: IIS FTP Exploit/DoS Attack
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Advisory: IIS FTP Exploit/DoS Attack

  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Re: Advisory: IIS FTP Exploit/DoS Attack
  • From: Russ <Russ.CooperRC.ON.CA>
  • Date: Mon, 25 Jan 1999 20:55:12 -0500
  • Approved-By: Russ.CooperRC.ON.CA
  • Reply-To: Russ <Russ.CooperRC.ON.CA>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
>Should these "security advisories" first be sent privately to Microsoft

<snip>

FYI, I let these posts through every once in a while in order to take
the pulse of the community. So you won't be seeing a discussion on the
list about this, but I am reading all of the feedback and taking it all
into consideration to use in my moderating.

My policy regarding this issue is this;

1. If I receive an announcement from a known group, company, or
organization, I pass it on to the list directly. I figure the l0pht,
eEye Digital Security Team, ISS X-Force, or others like them have
already made their own decisions about their disclosure policy.

2. If the message is copied to multiple destinations and is a worthwhile
message, I pass it on directly to the list. If its in publication
elsewhere, it should be on NTBugtraq also so it can be addressed here.

3. If I receive an announcement from an individual or unknown group,
company, or organization, I do two things automatically;

a) I forward a copy to my contacts at Microsoft and ask if they already
know about it.

b) I send a message to the poster and ask if they have already contacted
Microsoft.

If the poster says they haven't contacted Microsoft I ask the poster if
they are willing to wait for a response to my query to MS on the issue.
If they agree, we wait. The wait time will typically not exceed 24 hours
for an initial response. The total wait time will not typically exceed
14 days, but may vary depending on the extent of the issue and the scope
of the solution. The goal is to wait for a fix before disclosure, but
not wait too long. Let me stress, this is done only with the agreement
of the poster!

If the poster says they have contacted Microsoft and wish the message be
put through immediately, I wait for confirmation from MS that they are
aware of the issue. There have been numerous instances of people
claiming to have sent a message to securemicrosoft.com which, in fact,
have not been sent to that address. Possibly they got sent to another
address by mistake, or just as possibly, a message was never sent. If MS
says they're unaware of the issue I repose the question to the poster
and inform them that MS is unaware of their message to them.

If the poster insists on the message being sent without MS being given
any time to address the situation, I send it out. I can only suggest,
not force, my opinion on the subject.

Attempting to suppress something on NTBugtraq would be stupid. There are
enough other widely read places out there that such a policy would
quickly lead to a loss of value in NTBugtraq. People would simply post
their information elsewhere and we'd be left as an archive of other
lists.

As far as Microsoft are concerned, let me say this from my personal
experience with them.

Microsoft have made dramatic changes in the way they handle security
issues over the last 18-24 months. Their ability to deal with them
quickly and in a more public fashion has been demonstrated in the large
number of post-SP hot fixes we saw after SP3. I'm not here asking for
praise for them, but I am suggesting that its fairly obvious to many of
us that things are getting much better.

Microsoft now has dedicated teams devoted to security testing, something
which was far less obvious even a short time ago. This has led to faster
turn-arounds on reported issues. For example, on the MS Forms problem,
the turn-around was only 7 days. Others have come much quicker. This
belies the old belief that MS doesn't do anything until its threatened
with publication.

Never-the-less, the squeaky wheel gets the oil, right? But if you're in
a room full of squeaky wheels, does it really matter which one gets the
oil first?

Your discovery, the one you haven't found yet but may find tomorrow, is
likely going to be the most important security issue from that point
until its fixed, at least in your mind. In the greater scheme of things,
it may not be the most important security issue that needs to be
addressed that day. Unfortunately, when someone's got an exploit to
announce and they haven't waited for MS to prepare a fix, they don't
usually consider these things.

I could enforce a policy which said that nothing would be released until
MS had released a fix or 14 days had passed since I received it. It
would, however, take over 11,505 positive responses for me to do such a
thing (11,505 being ~half of the subscriber base of NTBugtraq).

Feel free to comment back on this message directly to me.

Cheers,
Russ - NTBugtraq moderator