[Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability
mattmurphy at kc.rr.com
Thu Dec 15 02:10:53 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
labs-no-reply at idefense.com wrote:
> We don't disagree with you. The vulnerability lies in the Microsoft
> Foundation Classes (MFC) static libraries. Trend Micro also acknowledges
> this in their response. Unfortunately, Trend Micro's product
> distributions are vulnerable since they ship with the old static libraries.
> Michael Sutton
> Director, iDefense Labs
That's all well-and-good. I see two problems with this, only one of
which deals with iDefense:
1. iDefense was sloppy about fact-checking and crediting prior reports.
If it surfaces that a vulnerability is a rediscovery of an unfixed
issue from a prior report, at least mention the prior report.
Particularly when you're buying/selling this as original research, it
makes iDefense look bad.
2. I'm betting that the reason why nobody at Trend paid more attention
than they did is because of the horrendous misdocumentation of the
service pack's fixes by Microsoft. The only thing that has to do with
your report is that it makes the rediscovery of the issue more blatant.
It seems my post has been taken as more hostile toward iDefense than was
intended. I'll say now that the majority of the blame for the fact this
was rediscovered in the first place lies squarely with Microsoft for its
spectacularly bad job of managing this vulnerability. Had Microsoft
taken the initiative to actually inform customers that a hole existed
when it released Service Pack 6 for Visual Studio 6.0 (or chosen a more
effective delivery vehicle), I have no doubt that a company the size of
Trend would have been much less likely to be caught off guard.
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."
-- Michael Holstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051214/0ab02e3e/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.