*498 days to fix an arbitrary code vulnerability
*Silently fixing buffer overrun vulns without releasing an advisory (http://xforce.iss.net/xforce/alerts/id/226, in "Additional Information" section)
Hmph. Wow.
I wonder if they kill-bitted older versions >>>hehehe ;-)
I ran across at least some of the same issues reported in early 2005 as well (didn't bother to report them though). All I can say is swiss-cheese for the stuff I looked at, what's a better word when you spend 30 minutes looking at a product and come up with a half dozen or so high impact flaws.
________________________________________
From: Mark Litchfield
Sent: Friday, July 07, 2006 9:58 AM
To: bugtraq (at) securityfocus (dot) com [email concealed]; vulnwatch (at) vulnwatch (dot) org [email concealed]; sec-adv (at) secunia (dot) com [email concealed]
Subject: WebEx Downloader Plug-in Multiple Vulnerabilities + rant
All these vulnerabilities were reported to WebEx by NGS Software back on the
24th February 2005 along with some other issues.
The current Director of the X-Force new about these issues as at the time of
their discovery, he worked with NGS.
Seeing as I'm the subject, here is another example whereby I found a bug (in
Skype) except Pentest-Limited were credited with it's discovery -
http://www.theregister.co.uk/2005/10/25/skype_vuln/ An extract from an
email below from Kurt Sauer (Security Operations / Skype Technologies),
shows that Mark Rowe of Pentest Ltd for some unknown reason had access to my
email sent to Kurt.
In reviewing our mail archives, I see that you *DID* report the vuln (the
VCARD aspect) to us -- to ME, directly -- before Mark Rowe did. However, I
(gulp) mishandled the e-mail.
As you surmised, it appears that Mark Rowe read that mail and found another
instantiation of the same bug, namely the handling of the command-line
parameters.
Completely my fault on that. It will take one "push" cycle (typically less
than a day) to get a correction posted, but I will both correct our
announcement and also redistribute it with corrected attribution.
I should have asked you to CC security (at) skype (dot) net [email concealed] on the actual vuln report,
because mail sent to that address is read by more than just me.
Importantly, I am going to hire a dedicated incident manager (as fast as
our hiring practices will allow) so that there is someone spending full
workdays just handing inbound messages on this topic.
Could never be bothered before to make an issue of it. But to sit on a
large number of flaws in a vendors software product for 498 days and see
other companies credited is a tad annoying :)
*Silently fixing buffer overrun vulns without releasing an advisory (http://xforce.iss.net/xforce/alerts/id/226, in "Additional Information" section)
Hmph. Wow.
I wonder if they kill-bitted older versions >>>hehehe ;-)
I ran across at least some of the same issues reported in early 2005 as well (didn't bother to report them though). All I can say is swiss-cheese for the stuff I looked at, what's a better word when you spend 30 minutes looking at a product and come up with a half dozen or so high impact flaws.
________________________________________
From: Mark Litchfield
Sent: Friday, July 07, 2006 9:58 AM
To: bugtraq (at) securityfocus (dot) com [email concealed]; vulnwatch (at) vulnwatch (dot) org [email concealed]; sec-adv (at) secunia (dot) com [email concealed]
Subject: WebEx Downloader Plug-in Multiple Vulnerabilities + rant
All these vulnerabilities were reported to WebEx by NGS Software back on the
24th February 2005 along with some other issues.
The current Director of the X-Force new about these issues as at the time of
their discovery, he worked with NGS.
Seeing as I'm the subject, here is another example whereby I found a bug (in
Skype) except Pentest-Limited were credited with it's discovery -
http://www.theregister.co.uk/2005/10/25/skype_vuln/ An extract from an
email below from Kurt Sauer (Security Operations / Skype Technologies),
shows that Mark Rowe of Pentest Ltd for some unknown reason had access to my
email sent to Kurt.
In reviewing our mail archives, I see that you *DID* report the vuln (the
VCARD aspect) to us -- to ME, directly -- before Mark Rowe did. However, I
(gulp) mishandled the e-mail.
As you surmised, it appears that Mark Rowe read that mail and found another
instantiation of the same bug, namely the handling of the command-line
parameters.
Completely my fault on that. It will take one "push" cycle (typically less
than a day) to get a correction posted, but I will both correct our
announcement and also redistribute it with corrected attribution.
I should have asked you to CC security (at) skype (dot) net [email concealed] on the actual vuln report,
because mail sent to that address is read by more than just me.
Importantly, I am going to hire a dedicated incident manager (as fast as
our hiring practices will allow) so that there is someone spending full
workdays just handing inbound messages on this topic.
Could never be bothered before to make an issue of it. But to sit on a
large number of flaws in a vendors software product for 498 days and see
other companies credited is a tad annoying :)
All the best
Mark Litchfield
[ reply ]